A program to unpack compressed files
http://www.info-zip.org/
UnZip is an extraction utility for archives compressed in .zip format
(known as "zip files"). Although highly compatible both with PKWARE's
PKZIP(tm) and PKUNZIP utilities for MS-DOS and with Info-ZIP's own Zip
program, our primary objectives have been portability and non-MS-DOS
functionality. This version can also extract encrypted archives.
- Devel package for openSUSE:Factory
-
3
derived packages
- Links to openSUSE:Factory / unzip
- Download package
-
Checkout Package
osc -A https://api.opensuse.org checkout Archiving/unzip && cd $_
- Create Badge
Refresh
Refresh
Source Files
Revision 56 (latest revision is 64)
buildservice-autocommit
accepted
request 808172
from
Martin Pluskal (pluskalm)
(revision 56)
baserev update by copy to link target
Comments 2
There is a huge and probably very old bug in openSUSE unzip (Tumbleweed as well as 15.3). This bug is fixed in Ubuntu's unzip version, I looked at their patches and there's several CVEs missing here, and I assume it's one of these patches that fixed the issue.
The bug is when extracting an archive where file permissions are not explicitly set, occasionally (but reproducibly) one or more files get converted to be symlinks and the original content of the file is suddenly the link target.
This can easily be reproduced by downloading the zip archives from the Shopware/Platform project, e.g. https://github.com/shopware/platform/archive/dd2bf30d0519dcd9416dc269c88edcfd66f92add.zip
When downloading this zip archive and extracting it in the console with unzip the file
platform-dd2bf30d0519dcd9416dc269c88edcfd66f92add/src/Storefront/Resources/app/storefront/dist/assets/icon/default/editor-redo.svg
gets erroneously converted into a symlink. The fun thing about this bug is that you can reproduce it with nearly every single zip of a commit and it's always different files, but when extracting the same archive it's always the same file(s) that get converted into a symlink. This bug has caused us a lot of issues for the past year.I guess it's one of the not applied patches you can see here: https://sources.debian.org/patches/unzip/6.0-26/
kind regards, Kira Backes
https://bugzilla.suse.com/show_bug.cgi?id=1190273