%20--%3e%3csvg%20version='1.1'%20id='Layer_1'%20x='0px'%20y='0px'%20viewBox='0%200%20107.30001%20140.79999'%20xml:space='preserve'%20sodipodi:docname='mind_logo_positief.svg'%20width='107.30001'%20height='140.79999'%20xmlns:inkscape='http://www.inkscape.org/namespaces/inkscape'%20xmlns:sodipodi='http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd'%20xmlns='http://www.w3.org/2000/svg'%20xmlns:svg='http://www.w3.org/2000/svg'%3e%3cdefs%20id='defs29'%20/%3e%3csodipodi:namedview%20id='namedview29'%20pagecolor='%23505050'%20bordercolor='%23eeeeee'%20borderopacity='1'%20inkscape:showpageshadow='0'%20inkscape:pageopacity='0'%20inkscape:pagecheckerboard='0'%20inkscape:deskcolor='%23d1d1d1'%3e%3cinkscape:page%20x='0'%20y='0'%20width='107.30001'%20height='140.79999'%20id='page2'%20margin='0'%20bleed='0'%20/%3e%3c/sodipodi:namedview%3e%3cstyle%20type='text/css'%20id='style1'%3e%20.st0{fill:%231F1FA3;}%20.st1{fill:url(%23SVGID_1_);}%20.st2{fill:url(%23SVGID_00000033333245342322421190000001486717665348835473_);}%20.st3{fill:url(%23SVGID_00000075852413222229328580000001131059578544388517_);}%20%3c/style%3e%3cg%20id='g9'%20transform='translate(-21.299999,-20.6)'%3e%3clinearGradient%20id='SVGID_1_'%20gradientUnits='userSpaceOnUse'%20x1='4.8695998'%20y1='142.78'%20x2='99.248901'%20y2='35.348301'%3e%3cstop%20offset='0'%20style='stop-color:%2347EFF0'%20id='stop4'%20/%3e%3cstop%20offset='1'%20style='stop-color:%23297BFF'%20id='stop5'%20/%3e%3c/linearGradient%3e%3crect%20x='21.299999'%20y='64'%20class='st1'%20width='19.9'%20height='97.400002'%20id='rect5'%20style='fill:url(%23SVGID_1_)'%20/%3e%3clinearGradient%20id='SVGID_00000007421653842672228110000012418760815982452352_'%20gradientUnits='userSpaceOnUse'%20x1='23.7796'%20y1='159.3925'%20x2='118.1588'%20y2='51.9608'%3e%3cstop%20offset='0'%20style='stop-color:%2347EFF0'%20id='stop6'%20/%3e%3cstop%20offset='1'%20style='stop-color:%23297BFF'%20id='stop7'%20/%3e%3c/linearGradient%3e%3cpath%20style='fill:url(%23SVGID_00000007421653842672228110000012418760815982452352_)'%20d='M%2072.3,64%20H%2064%20v%2075.2%20H%2085.1%20V%2076.8%20C%2085.1,69.7%2079.4,64%2072.3,64%20Z'%20id='path7'%20/%3e%3clinearGradient%20id='SVGID_00000072986549029232277750000008760038133176911550_'%20gradientUnits='userSpaceOnUse'%20x1='20.501699'%20y1='156.51289'%20x2='114.881'%20y2='49.0812'%3e%3cstop%20offset='0'%20style='stop-color:%2347EFF0'%20id='stop8'%20/%3e%3cstop%20offset='1'%20style='stop-color:%23297BFF'%20id='stop9'%20/%3e%3c/linearGradient%3e%3cpath%20style='fill:url(%23SVGID_00000072986549029232277750000008760038133176911550_)'%20d='M%2073.6,20.6%20H%2064%20v%2019.9%20h%209.6%20c%2019.3,0%2035.1,15.7%2035.1,35.1%20v%2044.3%20h%2019.9%20V%2075.6%20c%200,-30.3%20-24.7,-55%20-55,-55%20z'%20id='path9'%20/%3e%3c/g%3e%3c/svg%3e)
Name
unzip
Version
6.0
Type
library
Description
Utilities for extracting and viewing files in .zip archives
Licenses
Info-ZIP
PURL
-
CPE
cpe:2.3:*:unzip_project:unzip:6.0:*:*:*:*:*:*:*
Other Versions#
Patches#
#
Title
Author
Resolve
1
fix infinite loop when extracting empty bzip2 data
Kamil Dudka <kdudka@redhat.com>
CVE-2015-7697
2
Fix null pointer dereference and use of uninitialized data
Nils Bars <nils.bars@t-online.de>
CVE-2021-4217
3
unzip files encoded with non-latin, non-unicode file names
Giovanni Scafora <giovanni.archlinux.org>
CVE-2015-1315
4
Patch #4
Unknown
CVE-2022-0530
5
Fix CVE-2014-9913, buffer overflow in unzip
"Steven M. Schweda" <sms@antinode.info>
CVE-2014-9913
6
Fix bug in undefer_input() that misplaced the input
Mark Adler <madler@alumni.caltech.edu>
CVE-2019-13232
7
configure: Add correct system headers and prototypes to tests
Khem Raj <raj.khem@gmail.com>
8
Fix CVE-2014-8139: CRC32 verification heap-based overflow
sms
CVE-2014-8139
9
Fix CVE-2014-8140: out-of-bounds write issue in test_compr_eb()
sms
CVE-2014-8140
10
Fix CVE-2014-8141: out-of-bounds read issues in getZip64Data()
sms
CVE-2014-8141
11
upstream fix for heap overflow
Petr Stodulka <pstodulk@redhat.com>
CVE-2015-7696
12
Patch #12
Unknown
CVE-2022-0529
13
Patch #13
Edwin Plauchu <edwin.plauchu.camacho@intel.com>
14
unzip: fix CVE-2018-1000035
Changqing Li <changqing.li@windriver.com>
CVE-2018-1000035
15
Do not raise a zip bomb alert for a misplaced central
Mark Adler <madler@alumni.caltech.edu>
CVE-2019-13232
16
Patch #16
Ross Burton <ross.burton@intel.com>
17
Patch #17
Mikko Rapeli <mikko.rapeli@bmw.de>
18
unix/configure: fix detection for cross compilation
Chen Qi <Qi.Chen@windriver.com>
19
Detect and reject a zip bomb using overlapped entries.
Mark Adler <madler@alumni.caltech.edu>
CVE-2019-13232
20
Info-ZIP UnZip buffer overflow
mancha <mancha1 AT zoho DOT com>
CVE-2014-9636
21
Fix CVE-2016-9844, buffer overflow in zipinfo
"Steven M. Schweda" <sms@antinode.info>
CVE-2016-9844
22
Patch #22
Changqing Li <changqing.li@windriver.com>
CVE-2018-18384
23
Patch #23
Mikhail Durnev <Mikhail_Durnev@mentor.com>
24
configure: Pass LDFLAGS to tests doing link step
Khem Raj <raj.khem@gmail.com>
25
Patch #25
Mark Hatle <mark.hatle@windriver.com>
Vulnerabilities#
Name
Analysis
Description
Patched
A flaw was found in Unzip. The vulnerability occurs during the conversion of a wide string to a local string that leads to a heap of out-of-bound write. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution.
Patched
A flaw was found in Unzip. The vulnerability occurs during the conversion of a wide string to a local string that leads to a heap of out-of-bound write. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution.
Patched
A flaw was found in unzip. The vulnerability occurs due to improper handling of Unicode strings, which can lead to a null pointer dereference. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution.
Patched
Info-ZIP UnZip 6.0 mishandles the overlapping of files inside a ZIP container, leading to denial of service (resource consumption), aka a "better zip bomb" issue.
Patched
Info-ZIP UnZip 6.0 has a buffer overflow in list.c, when a ZIP archive has a crafted relationship between the compressed-size value and the uncompressed-size value, because a buffer size is 10 and is supposed to be 12.
Patched
A heap-based buffer overflow exists in Info-Zip UnZip version <= 6.00 in the processing of password-protected archives that allows an attacker to perform a denial of service or to possibly achieve code execution.
Patched
Buffer overflow in the zi_short function in zipinfo.c in Info-Zip UnZip 6.0 allows remote attackers to cause a denial of service (crash) via a large compression method value in the central directory file header.
Patched
Info-ZIP UnZip 6.0 allows remote attackers to cause a denial of service (infinite loop) via empty bzip2 data in a ZIP archive.
Patched
Info-ZIP UnZip 6.0 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) or possibly execute arbitrary code via a crafted password-protected ZIP archive, possibly related to an Extra-Field size value.
Patched
Buffer overflow in the charset_to_intern function in unix/unix.c in Info-Zip UnZip 6.10b allows remote attackers to execute arbitrary code via a crafted string, as demonstrated by converting a string from CP866 to UTF-8.
Patched
Buffer overflow in the list_files function in list.c in Info-Zip UnZip 6.0 allows remote attackers to cause a denial of service (crash) via vectors related to the compression method.
Patched
unzip 6.0 allows remote attackers to cause a denial of service (out-of-bounds read or write and crash) via an extra field with an uncompressed size smaller than the compressed field size in a zip archive that advertises STORED method compression.
Patched
Heap-based buffer overflow in the getZip64Data function in Info-ZIP UnZip 6.0 and earlier allows remote attackers to execute arbitrary code via a crafted zip file in the -t command argument to the unzip command.
Patched
Heap-based buffer overflow in the test_compr_eb function in Info-ZIP UnZip 6.0 and earlier allows remote attackers to execute arbitrary code via a crafted zip file in the -t command argument to the unzip command.
Patched
Heap-based buffer overflow in the CRC32 verification in Info-ZIP UnZip 6.0 and earlier allows remote attackers to execute arbitrary code via a crafted zip file in the -t command argument to the unzip command.