%20--%3e%3csvg%20version='1.1'%20id='Layer_1'%20x='0px'%20y='0px'%20viewBox='0%200%20107.30001%20140.79999'%20xml:space='preserve'%20sodipodi:docname='mind_logo_positief.svg'%20width='107.30001'%20height='140.79999'%20xmlns:inkscape='http://www.inkscape.org/namespaces/inkscape'%20xmlns:sodipodi='http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd'%20xmlns='http://www.w3.org/2000/svg'%20xmlns:svg='http://www.w3.org/2000/svg'%3e%3cdefs%20id='defs29'%20/%3e%3csodipodi:namedview%20id='namedview29'%20pagecolor='%23505050'%20bordercolor='%23eeeeee'%20borderopacity='1'%20inkscape:showpageshadow='0'%20inkscape:pageopacity='0'%20inkscape:pagecheckerboard='0'%20inkscape:deskcolor='%23d1d1d1'%3e%3cinkscape:page%20x='0'%20y='0'%20width='107.30001'%20height='140.79999'%20id='page2'%20margin='0'%20bleed='0'%20/%3e%3c/sodipodi:namedview%3e%3cstyle%20type='text/css'%20id='style1'%3e%20.st0{fill:%231F1FA3;}%20.st1{fill:url(%23SVGID_1_);}%20.st2{fill:url(%23SVGID_00000033333245342322421190000001486717665348835473_);}%20.st3{fill:url(%23SVGID_00000075852413222229328580000001131059578544388517_);}%20%3c/style%3e%3cg%20id='g9'%20transform='translate(-21.299999,-20.6)'%3e%3clinearGradient%20id='SVGID_1_'%20gradientUnits='userSpaceOnUse'%20x1='4.8695998'%20y1='142.78'%20x2='99.248901'%20y2='35.348301'%3e%3cstop%20offset='0'%20style='stop-color:%2347EFF0'%20id='stop4'%20/%3e%3cstop%20offset='1'%20style='stop-color:%23297BFF'%20id='stop5'%20/%3e%3c/linearGradient%3e%3crect%20x='21.299999'%20y='64'%20class='st1'%20width='19.9'%20height='97.400002'%20id='rect5'%20style='fill:url(%23SVGID_1_)'%20/%3e%3clinearGradient%20id='SVGID_00000007421653842672228110000012418760815982452352_'%20gradientUnits='userSpaceOnUse'%20x1='23.7796'%20y1='159.3925'%20x2='118.1588'%20y2='51.9608'%3e%3cstop%20offset='0'%20style='stop-color:%2347EFF0'%20id='stop6'%20/%3e%3cstop%20offset='1'%20style='stop-color:%23297BFF'%20id='stop7'%20/%3e%3c/linearGradient%3e%3cpath%20style='fill:url(%23SVGID_00000007421653842672228110000012418760815982452352_)'%20d='M%2072.3,64%20H%2064%20v%2075.2%20H%2085.1%20V%2076.8%20C%2085.1,69.7%2079.4,64%2072.3,64%20Z'%20id='path7'%20/%3e%3clinearGradient%20id='SVGID_00000072986549029232277750000008760038133176911550_'%20gradientUnits='userSpaceOnUse'%20x1='20.501699'%20y1='156.51289'%20x2='114.881'%20y2='49.0812'%3e%3cstop%20offset='0'%20style='stop-color:%2347EFF0'%20id='stop8'%20/%3e%3cstop%20offset='1'%20style='stop-color:%23297BFF'%20id='stop9'%20/%3e%3c/linearGradient%3e%3cpath%20style='fill:url(%23SVGID_00000072986549029232277750000008760038133176911550_)'%20d='M%2073.6,20.6%20H%2064%20v%2019.9%20h%209.6%20c%2019.3,0%2035.1,15.7%2035.1,35.1%20v%2044.3%20h%2019.9%20V%2075.6%20c%200,-30.3%20-24.7,-55%20-55,-55%20z'%20id='path9'%20/%3e%3c/g%3e%3c/svg%3e)
Project
Branch
Version
2025.02.x
6.0
Name
unzip
Version
6.0
Type
library
Description
-
Licenses
Info-ZIP
PURL
-
CPE
cpe:2.3:a:unzip_project:unzip:6.0:-:*:*:*:*:*:*
Other Versions#
Patches#
#
Title
Author
Resolve
1
In Debian, manpages are in section 1, not in section 1L
Santiago Vila <sanvila@debian.org>
2
"Branding patch": UnZip by Debian. Original by Info-ZIP.
Santiago Vila <sanvila@debian.org>
3
#include <unistd.h> for kFreeBSD
Aurelien Jarno <aurel32@debian.org>
4
Handle the PKWare verification bit of internal attributes
"Steven M. Schweda" <sms@antinode.info>
5
Restore uid and gid information when requested
"Steven M. Schweda" <sms@antinode.info>
6
Initialize the symlink flag
Andreas Schwab <schwab@linux-m68k.org>
7
Increase size of cfactorstr array to avoid buffer overflow
"Steven M. Schweda" <sms@antinode.info>
CVE-2018-18384
8
zipinfo.c: Do not crash when hostver byte is >= 100
Santiago Vila <sanvila@debian.org>
9
Fix CVE-2014-8139: CRC32 verification heap-based overflow
"Steven M. Schweda" <sms@antinode.info>
CVE-2014-8139
10
Fix CVE-2014-8140: out-of-bounds write issue in test_compr_eb()
"Steven M. Schweda" <sms@antinode.info>
CVE-2014-8140
11
Fix CVE-2014-8141: out-of-bounds read issues in getZip64Data()
"Steven M. Schweda" <sms@antinode.info>
CVE-2014-8141
12
Info-ZIP UnZip buffer overflow
mancha <mancha1 AT zoho DOT com>
CVE-2014-9636
13
Remove build date
Jérémy Bobbio <lunar@debian.org>
14
Upstream fix for heap overflow
Petr Stodulka <pstodulk@redhat.com>
CVE-2015-7696
15
fix infinite loop when extracting empty bzip2 data
Kamil Dudka <kdudka@redhat.com>
CVE-2015-7697
16
extract: prevent unsigned overflow on invalid input
Kamil Dudka <kdudka@redhat.com>
17
Do not ignore extra fields containing Unix Timestamps
"Steven M. Schweda" <sms@antinode.info>
18
Fix CVE-2014-9913, buffer overflow in unzip
"Steven M. Schweda" <sms@antinode.info>
CVE-2014-9913
19
Fix CVE-2016-9844, buffer overflow in zipinfo
"Steven M. Schweda" <sms@antinode.info>
CVE-2016-9844
20
Fix buffer overflow in password protected zip archives
Karol Babioch <kbabioch@suse.com>
CVE-2018-1000035
21
Fix lame code in fileio.c
"Steven M. Schweda" <sms@antinode.info>
22
Fix bug in undefer_input() that misplaced the input state.
Mark Adler <madler@alumni.caltech.edu>
CVE-2019-13232
23
Detect and reject a zip bomb using overlapped entries.
Mark Adler <madler@alumni.caltech.edu>
CVE-2019-13232
24
Do not raise a zip bomb alert for a misplaced central directory.
Mark Adler <madler@alumni.caltech.edu>
CVE-2019-13232
25
Fix bug in UZbunzip2() that incorrectly updated G.incnt
Mark Adler <madler@alumni.caltech.edu>
CVE-2019-13232
26
Fix bug in UZinflate() that incorrectly updated G.incnt.
Mark Adler <madler@alumni.caltech.edu>
CVE-2019-13232
27
zipgrep: Avoid test errors when no members present
Kevin Locke <kevin@kevinlocke.name>
28
Fix for CVE-2022-0529 and CVE-2022-0530
Steven M. Schweda <sms@antinode.info>
CVE-2022-0529
CVE-2022-0530
29
Handle Microsoft ZIP64 files by ignoring invalid "Total number of disks" field
Roy Tam
30
Drop conflicting declarations of gmtime() and localtime()
Santiago Vila <sanvila@debian.org>
31
Do not escape shell-special characters in "pat"
Vincent Lefevre <vincent@vinc17.net>
32
Fix null pointer dereference and use of uninitialized data
Nils Bars <nils.bars@t-online.de>
CVE-2021-4217
33
Add a CMakeFile.txt to ease cross-compilation
Luca Ceresoli <luca@lucaceresoli.net>
Vulnerabilities#
Name
Analysis
Description
Patched
A flaw was found in Unzip. The vulnerability occurs during the conversion of a wide string to a local string that leads to a heap of out-of-bound write. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution.
Patched
A flaw was found in Unzip. The vulnerability occurs during the conversion of a wide string to a local string that leads to a heap of out-of-bound write. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution.
Patched
A flaw was found in unzip. The vulnerability occurs due to improper handling of Unicode strings, which can lead to a null pointer dereference. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution.
Patched
Info-ZIP UnZip 6.0 mishandles the overlapping of files inside a ZIP container, leading to denial of service (resource consumption), aka a "better zip bomb" issue.
Patched
Info-ZIP UnZip 6.0 has a buffer overflow in list.c, when a ZIP archive has a crafted relationship between the compressed-size value and the uncompressed-size value, because a buffer size is 10 and is supposed to be 12.
Patched
A heap-based buffer overflow exists in Info-Zip UnZip version <= 6.00 in the processing of password-protected archives that allows an attacker to perform a denial of service or to possibly achieve code execution.
Patched
Buffer overflow in the zi_short function in zipinfo.c in Info-Zip UnZip 6.0 allows remote attackers to cause a denial of service (crash) via a large compression method value in the central directory file header.
Patched
Info-ZIP UnZip 6.0 allows remote attackers to cause a denial of service (infinite loop) via empty bzip2 data in a ZIP archive.
Patched
Info-ZIP UnZip 6.0 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) or possibly execute arbitrary code via a crafted password-protected ZIP archive, possibly related to an Extra-Field size value.
Patched
Buffer overflow in the list_files function in list.c in Info-Zip UnZip 6.0 allows remote attackers to cause a denial of service (crash) via vectors related to the compression method.
Patched
unzip 6.0 allows remote attackers to cause a denial of service (out-of-bounds read or write and crash) via an extra field with an uncompressed size smaller than the compressed field size in a zip archive that advertises STORED method compression.
Patched
Heap-based buffer overflow in the getZip64Data function in Info-ZIP UnZip 6.0 and earlier allows remote attackers to execute arbitrary code via a crafted zip file in the -t command argument to the unzip command.
Patched
Heap-based buffer overflow in the test_compr_eb function in Info-ZIP UnZip 6.0 and earlier allows remote attackers to execute arbitrary code via a crafted zip file in the -t command argument to the unzip command.
Patched
Heap-based buffer overflow in the CRC32 verification in Info-ZIP UnZip 6.0 and earlier allows remote attackers to execute arbitrary code via a crafted zip file in the -t command argument to the unzip command.