Update unzip to work with new ipsw files

1 files changed, 467 insertions, 0 deletions

diff --git a/data/unzip/debian/changelog b/data/unzip/debian/changelog
new file mode 100644
index 000000000..1100fa175
--- /dev/null
+++ b/data/unzip/debian/changelog
@@ -0,0 +1,467 @@
+unzip (6.0-21+deb9u1) stretch; urgency=medium
+
+  * Fix buffer overflow in password protected ZIP archives. Closes: #889838.
+    Patch borrowed from SUSE. For reference, this is CVE-2018-1000035.
+
+ -- Santiago Vila <sanvila@debian.org>  Wed, 17 Apr 2019 21:23:40 +0200
+
+unzip (6.0-21) unstable; urgency=medium
+
+  * Rename all debian/patches/* to have .patch ending.
+  * Update 12-cve-2014-9636-test-compr-eb.patch to follow revised
+    patch "unzip-6.0_overflow3.diff" from mancha (patch author).
+    Update also to follow upstream coding style.
+  * Drop workaround for gcc optimization bug on ARM (GCC Bug #764732)
+    in the hope that it's not present anymore in GCC-6.
+  * Allow source to be cross-built. Closes: #836051.
+  * Do not ignore Unix Timestamps. Closes: #842993. Patch by the author.
+  * Fix CVE-2014-9913, buffer overflow in unzip. Closes: #847485.
+    Patch by the author.
+  * Fix CVE-2016-9844, buffer overflow in zipinfo. Closes: #847486.
+    Patch by the author.
+
+ -- Santiago Vila <sanvila@debian.org>  Sun, 11 Dec 2016 21:03:30 +0100
+
+unzip (6.0-20) unstable; urgency=high
+
+  * Update debian/patches/16-fix-integer-underflow-csiz-decrypted to fix
+    regression on encrypted 0-byte files. Closes: #804595.
+    Thanks to Marc Deslauriers for the fix in Ubuntu.
+
+ -- Santiago Vila <sanvila@debian.org>  Mon, 09 Nov 2015 22:15:32 +0100
+
+unzip (6.0-19) unstable; urgency=medium
+
+  * Fix infinite loop when extracting password-protected archive.
+    This is CVE-2015-7697. Closes: #802160.
+  * Fix heap overflow when extracting password-protected archive.
+    This is CVE-2015-7696. Closes: #802162.
+  * Fix additional unsigned overflow on invalid input.
+  * Thanks a lot to Raphaël Hertzog for the squeeze-lts release,
+    from which this upload is mainly derived.
+
+ -- Santiago Vila <sanvila@debian.org>  Thu, 22 Oct 2015 12:12:46 +0200
+
+unzip (6.0-18) unstable; urgency=medium
+
+  * Ship a debian/copyright file in source package instead of generating
+    it a build time. Closes: #795567.
+
+ -- Santiago Vila <sanvila@debian.org>  Sun, 16 Aug 2015 23:34:42 +0200
+
+unzip (6.0-17) unstable; urgency=medium
+
+  * Switch to dh.
+  * Remove build date embedded in binary to make the build reproducible.
+    Thanks to Jérémy Bobbio <lunar@debian.org>. Closes: #782851.
+
+ -- Santiago Vila <sanvila@debian.org>  Sun, 17 May 2015 12:41:52 +0200
+
+unzip (6.0-16) unstable; urgency=medium
+
+  * Update 09-cve-2014-8139-crc-overflow to fix CVE-2014-8139
+    the right way (patch by the author). Closes: #775640.
+  * Update 10-cve-2014-8140-test-compr-eb to apply cleanly.
+  * Update 12-cve-2014-9636-test-compr-eb to follow the extract.c
+    file from the author.
+
+ -- Santiago Vila <sanvila@debian.org>  Fri, 30 Jan 2015 22:16:08 +0100
+
+unzip (6.0-15) unstable; urgency=medium
+
+  * Fix heap overflow. Ensure that compressed and uncompressed
+    block sizes match when using STORED method in extract.c.
+    Patch taken from Ubuntu. Thanks a lot. Closes: #776589.
+    For reference, this is CVE-2014-9636.
+
+ -- Santiago Vila <sanvila@debian.org>  Thu, 29 Jan 2015 18:39:52 +0100
+
+unzip (6.0-14) unstable; urgency=medium
+
+  * Drop -O2 optimization on armhf as a workaround for gcc Bug #764732.
+    Closes: #773785.
+
+ -- Santiago Vila <sanvila@debian.org>  Tue, 30 Dec 2014 22:17:12 +0100
+
+unzip (6.0-13) unstable; urgency=medium
+
+  * Apply upstream fix for three security bugs. Closes: #773722.
+    CVE-2014-8139: CRC32 verification heap-based overflow
+    CVE-2014-8140: out-of-bounds write issue in test_compr_eb()
+    CVE-2014-8141: out-of-bounds read issues in getZip64Data()
+
+ -- Santiago Vila <sanvila@debian.org>  Mon, 22 Dec 2014 19:16:10 +0100
+
+unzip (6.0-12) unstable; urgency=medium
+
+  * Fix zipinfo crash where a value <= 25.5 was printed in a buffer
+    having room only for values < 10.0. The integral part is now printed
+    at attribs[11] using %2u instead of attribs[12] using %u.
+    This way the output is the same as before for values < 10.
+    Authors tell me that the next unzip release will have a fix
+    like this, at least for the Unix case. Closes: #744212.
+
+ -- Santiago Vila <sanvila@debian.org>  Thu, 24 Apr 2014 23:39:38 +0200
+
+unzip (6.0-11) unstable; urgency=medium
+
+  * Lowered mime priority to 3, somewhat below 5 which is file-roller
+    default value. Closes: #727306.
+  * Increase size of cfactorstr array in list.c to avoid a buffer
+    overflow problem. Closes: #741384.
+
+ -- Santiago Vila <sanvila@debian.org>  Mon, 17 Mar 2014 17:38:50 +0100
+
+unzip (6.0-10) unstable; urgency=low
+
+  * Fixed bug "unzip thinks some files are symlinks". Closes: #717029.
+    Reported by Jeff King. Patch by Andreas Schwab.
+  * Added recommended targets build-arch and build-indep.
+  * Dropped obsolete Conflicts and Replaces on unzip-crypt, for which
+    the last version was a dummy transitional package.
+  * The copyright file is generated from copyright.in at build time.
+    Added lintian override for no-debian-copyright.
+
+ -- Santiago Vila <sanvila@debian.org>  Mon, 14 Oct 2013 18:48:40 +0200
+
+unzip (6.0-9) unstable; urgency=low
+
+  * Added NO_WORKING_ISPRINT to DEFINES so that UTF8 filenames are
+    displayed correctly. Reported by Slavek Banko. Closes: #682682.
+  * Use the right strip command when cross-building. Closes: #695141.
+
+ -- Santiago Vila <sanvila@debian.org>  Sun, 24 Feb 2013 17:12:00 +0100
+
+unzip (6.0-8) unstable; urgency=low
+
+  * Made unzip -X to actually restore uid/gid information.
+    Closes: #689212. Thanks to Axel Scheepers for the report.
+  * Disabled memcpy, as it is being used on overlapping buffers,
+    leading to data corruption. Closes: #694601.
+    Thanks to M Joonas Pihlaja for the report.
+
+ -- Santiago Vila <sanvila@debian.org>  Wed, 28 Nov 2012 12:41:34 +0100
+
+unzip (6.0-7) unstable; urgency=low
+
+  * Added Multi-Arch: foreign. Closes: #678812.
+
+ -- Santiago Vila <sanvila@debian.org>  Sat, 30 Jun 2012 14:17:42 +0200
+
+unzip (6.0-6) unstable; urgency=low
+
+  * Added hardening flags. Closes: #656268.
+
+ -- Santiago Vila <sanvila@debian.org>  Sun, 01 Apr 2012 00:01:40 +0200
+
+unzip (6.0-5) unstable; urgency=low
+
+  * Handle the PKWare verification bit of internal attributes.
+    Patch taken from 6.10 beta. Thanks to sms. Closes: #630078.
+
+ -- Santiago Vila <sanvila@debian.org>  Fri, 01 Jul 2011 19:06:08 +0200
+
+unzip (6.0-4) unstable; urgency=low
+
+  * Added homepage field to control file.
+  * Switch to 3.0 (quilt) source format.
+  * Support cross-build.
+
+ -- Santiago Vila <sanvila@debian.org>  Sun, 21 Feb 2010 17:01:00 +0100
+
+unzip (6.0-3) unstable; urgency=low
+
+  * Added "set -e" to postinst and postrm.
+
+ -- Santiago Vila <sanvila@debian.org>  Tue, 09 Feb 2010 23:53:42 +0100
+
+unzip (6.0-2) unstable; urgency=low
+
+  * Do not ignore errors from make clean (lintian warning)
+  * Remove .comment section from executables (lintian warning).
+  * Added mime stuff so that mutt is able to see the contents of a zipfile
+    using "unzip -l". Closes: #474538.
+
+ -- Santiago Vila <sanvila@debian.org>  Mon, 08 Feb 2010 18:44:00 +0100
+
+unzip (6.0-1) unstable; urgency=low
+
+  * New upstream release. Closes: #496989.
+  * Enabled new Unicode support. Closes: #197427. This may or may not work
+    for your already created zipfiles, but it's not a bug unless they were
+    created using the Unicode feature present in zip 3.0.
+  * Built using DATE_FORMAT=DF_YMD so that unzip -l show dates in ISO format,
+    as that's the only available one which makes sense. Closes: #312886.
+  * Enabled new bzip2 support. Closes: #426798.
+  * Exit code for zipgrep should now be the right one. Closes: #441997.
+  * The reason why a file may not be created is now shown. Closes: #478791.
+  * Summary of changes in this version not being the debian/* files:
+  - Manpages in section 1, not 1L.
+  - Branding patch. UnZip by Debian. Original by Info-ZIP.
+  - Always #include <unistd.h>. Debian GNU/kFreeBSD needs it.
+
+ -- Santiago Vila <sanvila@debian.org>  Fri, 08 May 2009 20:02:40 +0200
+
+unzip (5.52-12) unstable; urgency=medium
+
+  * Fixed stack underflow in unshrink.c. Closes: #454037.
+    Thanks to Christian Spieler for the patch.
+
+ -- Santiago Vila <sanvila@debian.org>  Sat, 26 Jul 2008 16:51:38 +0200
+
+unzip (5.52-11) unstable; urgency=high
+
+  * Apply patch from Tavis Ormandy to address invalid free() calls in
+    the inflate_dynamic() function (CVE-2008-0888).
+
+ -- Santiago Vila <sanvila@debian.org>  Thu, 20 Mar 2008 17:53:00 +0100
+
+unzip (5.52-10) unstable; urgency=low
+
+  * Fixed typo in unzipsfx(1). Thanks to Kevin Ryde. Closes: #419479.
+
+ -- Santiago Vila <sanvila@debian.org>  Mon,  2 Jul 2007 18:08:44 +0200
+
+unzip (5.52-9) unstable; urgency=low
+
+  * Added appropriate compiler flags for Large File Support (Closes: #192253).
+    This procedure is blessed by upstream in the FAQ, and as a result,
+    some .zip archives may now be uncompressed using Debian unzip.
+    For those which still may not, please test unzip 6.0 beta.
+
+ -- Santiago Vila <sanvila@debian.org>  Wed, 30 Aug 2006 10:34:24 +0200
+
+unzip (5.52-8) unstable; urgency=low
+
+  * Modified unix/unxcfg.h to always #include <unistd.h>.
+    This should now work on GNU/kFreeBSD (Closes: #340693).
+
+ -- Santiago Vila <sanvila@debian.org>  Tue, 25 Apr 2006 19:50:24 +0200
+
+unzip (5.52-7) unstable; urgency=medium
+
+  * Fixed buffer overflow when insanely long filenames are given on the
+    command line. Patch from Johnny Lee. Changed some format strings so
+    that they use 512 characters at most. The "right" fix will be in 5.53,
+    but this should work well enough for now. Closes: #349794.
+  * This is CVE-2005-4667.
+
+ -- Santiago Vila <sanvila@debian.org>  Thu, 16 Mar 2006 10:31:20 +0100
+
+unzip (5.52-6) unstable; urgency=medium
+
+  * Symlinks should work again (Closes: #343680). Fix provided by
+    Christian Spieler. Thanks to Carl W. Hoffman for the report.
+
+ -- Santiago Vila <sanvila@debian.org>  Tue, 20 Dec 2005 19:18:32 +0100
+
+unzip (5.52-5) unstable; urgency=low
+
+  * Fixed CAN-2005-2475 the same way it will be fixed in unzip 5.53.
+    Patch extracted from a prerelease provided by upstream.
+  * Changed unzip banner line to reflect the fact that this is
+    a "modified" release. Debian-derived distributions should probably
+    do the same if they deviate from the Debian version.
+
+ -- Santiago Vila <sanvila@debian.org>  Thu, 17 Nov 2005 16:34:24 +0100
+
+unzip (5.52-4) unstable; urgency=medium
+
+  * Fixed toctou vulnerability (Closes: #321927). Modified unix/unix.c
+    to use fchmod() and fchown() instead of chmod() and chown() to change
+    permissions and ownerships on the files actually created by unzip.
+    Patch from Dan Yefimov. CAN-2005-2475.
+
+ -- Santiago Vila <sanvila@debian.org>  Wed,  9 Nov 2005 18:05:02 +0100
+
+unzip (5.52-3) unstable; urgency=low
+
+  * Put manpages in section 1, not 1L.
+  * Fixed more typos (Closes: #309885).
+
+ -- Santiago Vila <sanvila@debian.org>  Wed, 25 May 2005 16:09:02 +0200
+
+unzip (5.52-2) unstable; urgency=low
+
+  * Fixed typos in manpage (Closes: #301915).
+
+ -- Santiago Vila <sanvila@debian.org>  Sun, 24 Apr 2005 19:27:02 +0200
+
+unzip (5.52-1) unstable; urgency=low
+
+  * New upstream release.
+  * Enabled new -W option via WILD_STOP_AT_DIR macro.
+  * Macro USE_UNSHRINK is no longer defined, as it's now the default.
+
+ -- Santiago Vila <sanvila@debian.org>  Tue,  1 Mar 2005 15:33:54 +0100
+
+unzip (5.51-2) unstable; urgency=low
+
+  * Added unshrinking support (Closes: #252563).
+
+ -- Santiago Vila <sanvila@debian.org>  Sun,  6 Jun 2004 17:57:46 +0200
+
+unzip (5.51-1) unstable; urgency=low
+
+  * New upstream release, improves error message when a zipfile is not
+    readable (Closes: #139331).
+  * Added a newline character to the CannotOpenZipfile string for the
+    previous fix to be really complete.
+
+ -- Santiago Vila <sanvila@debian.org>  Tue, 25 May 2004 14:38:26 +0200
+
+unzip (5.50-4) unstable; urgency=low
+
+  * Changed __GNU__ to __GLIBC__ in unix/unxcfg.h to support glibc-based
+    systems not being GNU itself, like GNU/KFreeBSD and GNU/KNetBSD.
+
+ -- Santiago Vila <sanvila@debian.org>  Sun, 16 Nov 2003 14:45:28 +0100
+
+unzip (5.50-3) unstable; urgency=high
+
+  * Fixed "unzip directory traversal revisited" again (Bug #206439).
+    There was still a missing case that the previous patch didn't catch.
+    Patch borrowed from unzip-5.50-33.src.rpm.
+  * For reference, this is (still) CAN-2003-0282.
+
+ -- Santiago Vila <sanvila@debian.org>  Wed, 20 Aug 2003 23:00:42 +0200
+
+unzip (5.50-2) unstable; urgency=high
+
+  * Fixed "unzip directory traversal revisited" problem (Bug #199648).
+    A filename containing ".somenonprintablechar." will not unpack
+    into .. anymore. Patch borrowed from unzip-5.50-11.src.rpm.
+  * For reference, this is CAN-2003-0282.
+  * No more doc symlinks.
+
+ -- Santiago Vila <sanvila@debian.org>  Mon,  7 Jul 2003 20:25:20 +0200
+
+unzip (5.50-1) unstable; urgency=low
+
+  * New upstream release.
+  * Moved from non-US/main to main. Section: utils.
+
+ -- Santiago Vila <sanvila@debian.org>  Sun, 24 Mar 2002 15:54:12 +0100
+
+unzip (5.42-3) unstable; urgency=low
+
+  * Added support for DEB_BUILD_OPTIONS.
+
+ -- Santiago Vila <sanvila@debian.org>  Sun, 11 Nov 2001 16:25:00 +0100
+
+unzip (5.42-2) unstable; urgency=low
+
+  * Applied a patch from Marcus Brinkmann:
+  - Closes: #99699: unzip does not build on the Hurd.
+  - Modified debian/rules to support cross-compilation.
+
+ -- Santiago Vila <sanvila@debian.org>  Wed,  6 Jun 2001 16:40:14 +0200
+
+unzip (5.42-1) unstable; urgency=low
+
+  * New upstream release.
+  * Changed to Section: non-US.
+  * Removed "packaged for Debian" from extended description.
+
+ -- Santiago Vila <sanvila@debian.org>  Thu, 10 May 2001 16:47:41 +0200
+
+unzip (5.41-1) unstable; urgency=low
+
+  * New upstream release, featuring a new BSD-like license and built-in
+    encryption support. Moved to non-US/main.
+  * Copyright file now generated from LICENSE file.
+  * Versioned Conflicts and Replaces.
+  * Standards-Version: 3.1.1
+
+ -- Santiago Vila <sanvila@debian.org>  Fri, 18 Aug 2000 19:03:59 +0200
+
+unzip (5.40-1) unstable; urgency=low
+
+  * New upstream release.
+  * Removed `email-from-greg'.
+  * Fixed URL location in copyright file.
+  * Enabled -F option, as suggested by James Aylett.
+
+ -- Santiago Vila <sanvila@ctv.es>  Fri, 22 Oct 1999 10:30:49 +0200
+
+unzip (5.32-1) unstable; urgency=low
+
+  * New upstream release, using pristine source.
+
+ -- Santiago Vila <sanvila@ctv.es>  Tue,  4 Nov 1997 14:19:20 +0100
+
+unzip (5.31-2) unstable; urgency=low
+
+  * Removed debstd dependency.
+
+ -- Santiago Vila <sanvila@ctv.es>  Fri, 17 Oct 1997 17:22:22 +0200
+
+unzip (5.31-1) unstable; urgency=low
+
+  * `copyright' file is generated from COPYING automatically.
+  * Distribution unstable, Section non-free.
+  * Conflicts and Replaces "unzip-crypt".
+  * New upstream release.
+  * First libc6 release.
+  * Added md5sums.
+
+ -- Santiago Vila <sanvila@ctv.es>  Fri, 12 Sep 1997 19:16:59 +0200
+
+unzip (5.20-3) unstable; urgency=low
+
+  * Changed priority from `extra' to `optional'.
+  * Changed section from `misc' to `utils'.
+  * Simplified debian/rules a little bit. No debstd yet.
+  * Copied `History.520' as is. Added the symlink changelog -> History.520.
+  * Added ToDo and BUGS to /usr/doc/unzip.
+  * New maintainer.
+
+ -- Santiago Vila <sanvila@ctv.es>  Sun, 16 Feb 1997 19:29:13 +0100
+
+unzip (5.20-2) unstable; urgency=low
+
+  * zipgrep manpage is now installed through the unix/Makefile
+  * permissions guaranteed to be set properly for the zipgrep script
+    (did not work for those who compiled from the straight sources.)
+  * removed several superfluous commands from debian/rules.
+  * All changes this revision are courtesy of Santiago Vila.
+
+ -- Stuart Lamble <lamble@yoyo.cc.monash.edu.au>  Wed, 8 Jan 1997 18:48:00 +1100
+
+unzip (5.20-1) unstable; urgency=low
+
+  * new upstream version
+  * modified the copyright to include 5.2's COPYING, just in case it's changed.
+  * minor modifications to debian/rules
+  * added zipgrep (from the zip package).
+
+ -- Stuart Lamble <lamble@yoyo.cc.monash.edu.au>  Wed, 13 Nov 1996 19:35:24 +1100
+
+unzip (5.12-15) unstable; urgency=low
+
+  * received email from the upstream maintainers: unzip can now go into
+    the distribution proper. Yippee! :-)
+  * added the email in question to the copyright file.
+
+ -- Stuart Lamble <lamble@yoyo.cc.monash.edu.au>  Sat, 19 Oct 1996 18:34:21 +1000
+
+unzip (5.12-14) non-free; urgency=low
+
+  * moved to the 2.1.1.0 source format
+  * fixed a typo in the Maintainer field (missing the ">". Oops.)
+
+ -- Stuart Lamble <lamble@yoyo.cc.monash.edu.au>  Sun, 1 Sep 1996 07:36:16 +1000
+
+unzip (5.12-13) non-free; urgency=low
+
+  * new maintainer
+  * mods to make the "binary" rule portable to different platforms
+  * uses dpkg-name rather than manual moving
+
+ -- Stuart Lamble <lamble@yoyo.cc.monash.edu.au>  Tue, 30 Jul 1996 00:00:00 +0000
+
+unzip (5.12-12) non-free; urgency=low
+
+  * initial release (used 2 to avoid confusion with old unzip)
+
+ -- Carl Streeter <streeter@cae.wisc.edu>  Tue, 5 Sep 1995 00:00:00 +0000