summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--data/unzip/_metadata/version2
-rw-r--r--data/unzip/debian/changelog467
-rw-r--r--data/unzip/debian/compat1
-rw-r--r--data/unzip/debian/control20
-rw-r--r--data/unzip/debian/copyright76
-rw-r--r--data/unzip/debian/mime1
-rw-r--r--data/unzip/debian/patches/01-manpages-in-section-1-not-in-section-1l.patch295
-rw-r--r--data/unzip/debian/patches/02-this-is-debian-unzip.patch16
-rw-r--r--data/unzip/debian/patches/03-include-unistd-for-kfreebsd.patch15
-rw-r--r--data/unzip/debian/patches/04-handle-pkware-verification-bit.patch21
-rw-r--r--data/unzip/debian/patches/05-fix-uid-gid-handling.patch29
-rw-r--r--data/unzip/debian/patches/06-initialize-the-symlink-flag.patch20
-rw-r--r--data/unzip/debian/patches/07-increase-size-of-cfactorstr.patch16
-rw-r--r--data/unzip/debian/patches/08-allow-greater-hostver-values.patch14
-rw-r--r--data/unzip/debian/patches/09-cve-2014-8139-crc-overflow.patch53
-rw-r--r--data/unzip/debian/patches/10-cve-2014-8140-test-compr-eb.patch27
-rw-r--r--data/unzip/debian/patches/11-cve-2014-8141-getzip64data.patch137
-rw-r--r--data/unzip/debian/patches/12-cve-2014-9636-test-compr-eb.patch40
-rw-r--r--data/unzip/debian/patches/13-remove-build-date.patch17
-rw-r--r--data/unzip/debian/patches/14-cve-2015-7696.patch33
-rw-r--r--data/unzip/debian/patches/15-cve-2015-7697.patch26
-rw-r--r--data/unzip/debian/patches/16-fix-integer-underflow-csiz-decrypted.patch32
-rw-r--r--data/unzip/debian/patches/17-restore-unix-timestamps-accurately.patch41
-rw-r--r--data/unzip/debian/patches/18-cve-2014-9913-unzip-buffer-overflow.patch29
-rw-r--r--data/unzip/debian/patches/19-cve-2016-9844-zipinfo-buffer-overflow.patch28
-rw-r--r--data/unzip/debian/patches/20-cve-2018-1000035-unzip-buffer-overflow.patch35
-rw-r--r--data/unzip/debian/patches/series20
-rw-r--r--data/unzip/debian/postinst5
-rw-r--r--data/unzip/debian/postrm5
-rwxr-xr-xdata/unzip/debian/rules34
-rw-r--r--data/unzip/debian/source/format1
-rw-r--r--data/unzip/debian/source/lintian-overrides2
-rw-r--r--data/unzip/debian/unzip.docs3
-rw-r--r--data/unzip/debian/unzip.install2
-rw-r--r--data/unzip/debian/unzip.links1
-rw-r--r--data/unzip/make.sh14
-rw-r--r--data/unzip/timestamp.diff246
-rw-r--r--data/unzip/unzip_6.0-21+deb9u1.debian.tar.xzbin0 -> 18196 bytes
38 files changed, 1575 insertions, 249 deletions
diff --git a/data/unzip/_metadata/version b/data/unzip/_metadata/version
index e0ea36fee..e2c246fe1 100644
--- a/data/unzip/_metadata/version
+++ b/data/unzip/_metadata/version
@@ -1 +1 @@
-6.0
+6.0+deb9u1
diff --git a/data/unzip/debian/changelog b/data/unzip/debian/changelog
new file mode 100644
index 000000000..1100fa175
--- /dev/null
+++ b/data/unzip/debian/changelog
@@ -0,0 +1,467 @@
+unzip (6.0-21+deb9u1) stretch; urgency=medium
+
+ * Fix buffer overflow in password protected ZIP archives. Closes: #889838.
+ Patch borrowed from SUSE. For reference, this is CVE-2018-1000035.
+
+ -- Santiago Vila <sanvila@debian.org> Wed, 17 Apr 2019 21:23:40 +0200
+
+unzip (6.0-21) unstable; urgency=medium
+
+ * Rename all debian/patches/* to have .patch ending.
+ * Update 12-cve-2014-9636-test-compr-eb.patch to follow revised
+ patch "unzip-6.0_overflow3.diff" from mancha (patch author).
+ Update also to follow upstream coding style.
+ * Drop workaround for gcc optimization bug on ARM (GCC Bug #764732)
+ in the hope that it's not present anymore in GCC-6.
+ * Allow source to be cross-built. Closes: #836051.
+ * Do not ignore Unix Timestamps. Closes: #842993. Patch by the author.
+ * Fix CVE-2014-9913, buffer overflow in unzip. Closes: #847485.
+ Patch by the author.
+ * Fix CVE-2016-9844, buffer overflow in zipinfo. Closes: #847486.
+ Patch by the author.
+
+ -- Santiago Vila <sanvila@debian.org> Sun, 11 Dec 2016 21:03:30 +0100
+
+unzip (6.0-20) unstable; urgency=high
+
+ * Update debian/patches/16-fix-integer-underflow-csiz-decrypted to fix
+ regression on encrypted 0-byte files. Closes: #804595.
+ Thanks to Marc Deslauriers for the fix in Ubuntu.
+
+ -- Santiago Vila <sanvila@debian.org> Mon, 09 Nov 2015 22:15:32 +0100
+
+unzip (6.0-19) unstable; urgency=medium
+
+ * Fix infinite loop when extracting password-protected archive.
+ This is CVE-2015-7697. Closes: #802160.
+ * Fix heap overflow when extracting password-protected archive.
+ This is CVE-2015-7696. Closes: #802162.
+ * Fix additional unsigned overflow on invalid input.
+ * Thanks a lot to Raphaël Hertzog for the squeeze-lts release,
+ from which this upload is mainly derived.
+
+ -- Santiago Vila <sanvila@debian.org> Thu, 22 Oct 2015 12:12:46 +0200
+
+unzip (6.0-18) unstable; urgency=medium
+
+ * Ship a debian/copyright file in source package instead of generating
+ it a build time. Closes: #795567.
+
+ -- Santiago Vila <sanvila@debian.org> Sun, 16 Aug 2015 23:34:42 +0200
+
+unzip (6.0-17) unstable; urgency=medium
+
+ * Switch to dh.
+ * Remove build date embedded in binary to make the build reproducible.
+ Thanks to Jérémy Bobbio <lunar@debian.org>. Closes: #782851.
+
+ -- Santiago Vila <sanvila@debian.org> Sun, 17 May 2015 12:41:52 +0200
+
+unzip (6.0-16) unstable; urgency=medium
+
+ * Update 09-cve-2014-8139-crc-overflow to fix CVE-2014-8139
+ the right way (patch by the author). Closes: #775640.
+ * Update 10-cve-2014-8140-test-compr-eb to apply cleanly.
+ * Update 12-cve-2014-9636-test-compr-eb to follow the extract.c
+ file from the author.
+
+ -- Santiago Vila <sanvila@debian.org> Fri, 30 Jan 2015 22:16:08 +0100
+
+unzip (6.0-15) unstable; urgency=medium
+
+ * Fix heap overflow. Ensure that compressed and uncompressed
+ block sizes match when using STORED method in extract.c.
+ Patch taken from Ubuntu. Thanks a lot. Closes: #776589.
+ For reference, this is CVE-2014-9636.
+
+ -- Santiago Vila <sanvila@debian.org> Thu, 29 Jan 2015 18:39:52 +0100
+
+unzip (6.0-14) unstable; urgency=medium
+
+ * Drop -O2 optimization on armhf as a workaround for gcc Bug #764732.
+ Closes: #773785.
+
+ -- Santiago Vila <sanvila@debian.org> Tue, 30 Dec 2014 22:17:12 +0100
+
+unzip (6.0-13) unstable; urgency=medium
+
+ * Apply upstream fix for three security bugs. Closes: #773722.
+ CVE-2014-8139: CRC32 verification heap-based overflow
+ CVE-2014-8140: out-of-bounds write issue in test_compr_eb()
+ CVE-2014-8141: out-of-bounds read issues in getZip64Data()
+
+ -- Santiago Vila <sanvila@debian.org> Mon, 22 Dec 2014 19:16:10 +0100
+
+unzip (6.0-12) unstable; urgency=medium
+
+ * Fix zipinfo crash where a value <= 25.5 was printed in a buffer
+ having room only for values < 10.0. The integral part is now printed
+ at attribs[11] using %2u instead of attribs[12] using %u.
+ This way the output is the same as before for values < 10.
+ Authors tell me that the next unzip release will have a fix
+ like this, at least for the Unix case. Closes: #744212.
+
+ -- Santiago Vila <sanvila@debian.org> Thu, 24 Apr 2014 23:39:38 +0200
+
+unzip (6.0-11) unstable; urgency=medium
+
+ * Lowered mime priority to 3, somewhat below 5 which is file-roller
+ default value. Closes: #727306.
+ * Increase size of cfactorstr array in list.c to avoid a buffer
+ overflow problem. Closes: #741384.
+
+ -- Santiago Vila <sanvila@debian.org> Mon, 17 Mar 2014 17:38:50 +0100
+
+unzip (6.0-10) unstable; urgency=low
+
+ * Fixed bug "unzip thinks some files are symlinks". Closes: #717029.
+ Reported by Jeff King. Patch by Andreas Schwab.
+ * Added recommended targets build-arch and build-indep.
+ * Dropped obsolete Conflicts and Replaces on unzip-crypt, for which
+ the last version was a dummy transitional package.
+ * The copyright file is generated from copyright.in at build time.
+ Added lintian override for no-debian-copyright.
+
+ -- Santiago Vila <sanvila@debian.org> Mon, 14 Oct 2013 18:48:40 +0200
+
+unzip (6.0-9) unstable; urgency=low
+
+ * Added NO_WORKING_ISPRINT to DEFINES so that UTF8 filenames are
+ displayed correctly. Reported by Slavek Banko. Closes: #682682.
+ * Use the right strip command when cross-building. Closes: #695141.
+
+ -- Santiago Vila <sanvila@debian.org> Sun, 24 Feb 2013 17:12:00 +0100
+
+unzip (6.0-8) unstable; urgency=low
+
+ * Made unzip -X to actually restore uid/gid information.
+ Closes: #689212. Thanks to Axel Scheepers for the report.
+ * Disabled memcpy, as it is being used on overlapping buffers,
+ leading to data corruption. Closes: #694601.
+ Thanks to M Joonas Pihlaja for the report.
+
+ -- Santiago Vila <sanvila@debian.org> Wed, 28 Nov 2012 12:41:34 +0100
+
+unzip (6.0-7) unstable; urgency=low
+
+ * Added Multi-Arch: foreign. Closes: #678812.
+
+ -- Santiago Vila <sanvila@debian.org> Sat, 30 Jun 2012 14:17:42 +0200
+
+unzip (6.0-6) unstable; urgency=low
+
+ * Added hardening flags. Closes: #656268.
+
+ -- Santiago Vila <sanvila@debian.org> Sun, 01 Apr 2012 00:01:40 +0200
+
+unzip (6.0-5) unstable; urgency=low
+
+ * Handle the PKWare verification bit of internal attributes.
+ Patch taken from 6.10 beta. Thanks to sms. Closes: #630078.
+
+ -- Santiago Vila <sanvila@debian.org> Fri, 01 Jul 2011 19:06:08 +0200
+
+unzip (6.0-4) unstable; urgency=low
+
+ * Added homepage field to control file.
+ * Switch to 3.0 (quilt) source format.
+ * Support cross-build.
+
+ -- Santiago Vila <sanvila@debian.org> Sun, 21 Feb 2010 17:01:00 +0100
+
+unzip (6.0-3) unstable; urgency=low
+
+ * Added "set -e" to postinst and postrm.
+
+ -- Santiago Vila <sanvila@debian.org> Tue, 09 Feb 2010 23:53:42 +0100
+
+unzip (6.0-2) unstable; urgency=low
+
+ * Do not ignore errors from make clean (lintian warning)
+ * Remove .comment section from executables (lintian warning).
+ * Added mime stuff so that mutt is able to see the contents of a zipfile
+ using "unzip -l". Closes: #474538.
+
+ -- Santiago Vila <sanvila@debian.org> Mon, 08 Feb 2010 18:44:00 +0100
+
+unzip (6.0-1) unstable; urgency=low
+
+ * New upstream release. Closes: #496989.
+ * Enabled new Unicode support. Closes: #197427. This may or may not work
+ for your already created zipfiles, but it's not a bug unless they were
+ created using the Unicode feature present in zip 3.0.
+ * Built using DATE_FORMAT=DF_YMD so that unzip -l show dates in ISO format,
+ as that's the only available one which makes sense. Closes: #312886.
+ * Enabled new bzip2 support. Closes: #426798.
+ * Exit code for zipgrep should now be the right one. Closes: #441997.
+ * The reason why a file may not be created is now shown. Closes: #478791.
+ * Summary of changes in this version not being the debian/* files:
+ - Manpages in section 1, not 1L.
+ - Branding patch. UnZip by Debian. Original by Info-ZIP.
+ - Always #include <unistd.h>. Debian GNU/kFreeBSD needs it.
+
+ -- Santiago Vila <sanvila@debian.org> Fri, 08 May 2009 20:02:40 +0200
+
+unzip (5.52-12) unstable; urgency=medium
+
+ * Fixed stack underflow in unshrink.c. Closes: #454037.
+ Thanks to Christian Spieler for the patch.
+
+ -- Santiago Vila <sanvila@debian.org> Sat, 26 Jul 2008 16:51:38 +0200
+
+unzip (5.52-11) unstable; urgency=high
+
+ * Apply patch from Tavis Ormandy to address invalid free() calls in
+ the inflate_dynamic() function (CVE-2008-0888).
+
+ -- Santiago Vila <sanvila@debian.org> Thu, 20 Mar 2008 17:53:00 +0100
+
+unzip (5.52-10) unstable; urgency=low
+
+ * Fixed typo in unzipsfx(1). Thanks to Kevin Ryde. Closes: #419479.
+
+ -- Santiago Vila <sanvila@debian.org> Mon, 2 Jul 2007 18:08:44 +0200
+
+unzip (5.52-9) unstable; urgency=low
+
+ * Added appropriate compiler flags for Large File Support (Closes: #192253).
+ This procedure is blessed by upstream in the FAQ, and as a result,
+ some .zip archives may now be uncompressed using Debian unzip.
+ For those which still may not, please test unzip 6.0 beta.
+
+ -- Santiago Vila <sanvila@debian.org> Wed, 30 Aug 2006 10:34:24 +0200
+
+unzip (5.52-8) unstable; urgency=low
+
+ * Modified unix/unxcfg.h to always #include <unistd.h>.
+ This should now work on GNU/kFreeBSD (Closes: #340693).
+
+ -- Santiago Vila <sanvila@debian.org> Tue, 25 Apr 2006 19:50:24 +0200
+
+unzip (5.52-7) unstable; urgency=medium
+
+ * Fixed buffer overflow when insanely long filenames are given on the
+ command line. Patch from Johnny Lee. Changed some format strings so
+ that they use 512 characters at most. The "right" fix will be in 5.53,
+ but this should work well enough for now. Closes: #349794.
+ * This is CVE-2005-4667.
+
+ -- Santiago Vila <sanvila@debian.org> Thu, 16 Mar 2006 10:31:20 +0100
+
+unzip (5.52-6) unstable; urgency=medium
+
+ * Symlinks should work again (Closes: #343680). Fix provided by
+ Christian Spieler. Thanks to Carl W. Hoffman for the report.
+
+ -- Santiago Vila <sanvila@debian.org> Tue, 20 Dec 2005 19:18:32 +0100
+
+unzip (5.52-5) unstable; urgency=low
+
+ * Fixed CAN-2005-2475 the same way it will be fixed in unzip 5.53.
+ Patch extracted from a prerelease provided by upstream.
+ * Changed unzip banner line to reflect the fact that this is
+ a "modified" release. Debian-derived distributions should probably
+ do the same if they deviate from the Debian version.
+
+ -- Santiago Vila <sanvila@debian.org> Thu, 17 Nov 2005 16:34:24 +0100
+
+unzip (5.52-4) unstable; urgency=medium
+
+ * Fixed toctou vulnerability (Closes: #321927). Modified unix/unix.c
+ to use fchmod() and fchown() instead of chmod() and chown() to change
+ permissions and ownerships on the files actually created by unzip.
+ Patch from Dan Yefimov. CAN-2005-2475.
+
+ -- Santiago Vila <sanvila@debian.org> Wed, 9 Nov 2005 18:05:02 +0100
+
+unzip (5.52-3) unstable; urgency=low
+
+ * Put manpages in section 1, not 1L.
+ * Fixed more typos (Closes: #309885).
+
+ -- Santiago Vila <sanvila@debian.org> Wed, 25 May 2005 16:09:02 +0200
+
+unzip (5.52-2) unstable; urgency=low
+
+ * Fixed typos in manpage (Closes: #301915).
+
+ -- Santiago Vila <sanvila@debian.org> Sun, 24 Apr 2005 19:27:02 +0200
+
+unzip (5.52-1) unstable; urgency=low
+
+ * New upstream release.
+ * Enabled new -W option via WILD_STOP_AT_DIR macro.
+ * Macro USE_UNSHRINK is no longer defined, as it's now the default.
+
+ -- Santiago Vila <sanvila@debian.org> Tue, 1 Mar 2005 15:33:54 +0100
+
+unzip (5.51-2) unstable; urgency=low
+
+ * Added unshrinking support (Closes: #252563).
+
+ -- Santiago Vila <sanvila@debian.org> Sun, 6 Jun 2004 17:57:46 +0200
+
+unzip (5.51-1) unstable; urgency=low
+
+ * New upstream release, improves error message when a zipfile is not
+ readable (Closes: #139331).
+ * Added a newline character to the CannotOpenZipfile string for the
+ previous fix to be really complete.
+
+ -- Santiago Vila <sanvila@debian.org> Tue, 25 May 2004 14:38:26 +0200
+
+unzip (5.50-4) unstable; urgency=low
+
+ * Changed __GNU__ to __GLIBC__ in unix/unxcfg.h to support glibc-based
+ systems not being GNU itself, like GNU/KFreeBSD and GNU/KNetBSD.
+
+ -- Santiago Vila <sanvila@debian.org> Sun, 16 Nov 2003 14:45:28 +0100
+
+unzip (5.50-3) unstable; urgency=high
+
+ * Fixed "unzip directory traversal revisited" again (Bug #206439).
+ There was still a missing case that the previous patch didn't catch.
+ Patch borrowed from unzip-5.50-33.src.rpm.
+ * For reference, this is (still) CAN-2003-0282.
+
+ -- Santiago Vila <sanvila@debian.org> Wed, 20 Aug 2003 23:00:42 +0200
+
+unzip (5.50-2) unstable; urgency=high
+
+ * Fixed "unzip directory traversal revisited" problem (Bug #199648).
+ A filename containing ".somenonprintablechar." will not unpack
+ into .. anymore. Patch borrowed from unzip-5.50-11.src.rpm.
+ * For reference, this is CAN-2003-0282.
+ * No more doc symlinks.
+
+ -- Santiago Vila <sanvila@debian.org> Mon, 7 Jul 2003 20:25:20 +0200
+
+unzip (5.50-1) unstable; urgency=low
+
+ * New upstream release.
+ * Moved from non-US/main to main. Section: utils.
+
+ -- Santiago Vila <sanvila@debian.org> Sun, 24 Mar 2002 15:54:12 +0100
+
+unzip (5.42-3) unstable; urgency=low
+
+ * Added support for DEB_BUILD_OPTIONS.
+
+ -- Santiago Vila <sanvila@debian.org> Sun, 11 Nov 2001 16:25:00 +0100
+
+unzip (5.42-2) unstable; urgency=low
+
+ * Applied a patch from Marcus Brinkmann:
+ - Closes: #99699: unzip does not build on the Hurd.
+ - Modified debian/rules to support cross-compilation.
+
+ -- Santiago Vila <sanvila@debian.org> Wed, 6 Jun 2001 16:40:14 +0200
+
+unzip (5.42-1) unstable; urgency=low
+
+ * New upstream release.
+ * Changed to Section: non-US.
+ * Removed "packaged for Debian" from extended description.
+
+ -- Santiago Vila <sanvila@debian.org> Thu, 10 May 2001 16:47:41 +0200
+
+unzip (5.41-1) unstable; urgency=low
+
+ * New upstream release, featuring a new BSD-like license and built-in
+ encryption support. Moved to non-US/main.
+ * Copyright file now generated from LICENSE file.
+ * Versioned Conflicts and Replaces.
+ * Standards-Version: 3.1.1
+
+ -- Santiago Vila <sanvila@debian.org> Fri, 18 Aug 2000 19:03:59 +0200
+
+unzip (5.40-1) unstable; urgency=low
+
+ * New upstream release.
+ * Removed `email-from-greg'.
+ * Fixed URL location in copyright file.
+ * Enabled -F option, as suggested by James Aylett.
+
+ -- Santiago Vila <sanvila@ctv.es> Fri, 22 Oct 1999 10:30:49 +0200
+
+unzip (5.32-1) unstable; urgency=low
+
+ * New upstream release, using pristine source.
+
+ -- Santiago Vila <sanvila@ctv.es> Tue, 4 Nov 1997 14:19:20 +0100
+
+unzip (5.31-2) unstable; urgency=low
+
+ * Removed debstd dependency.
+
+ -- Santiago Vila <sanvila@ctv.es> Fri, 17 Oct 1997 17:22:22 +0200
+
+unzip (5.31-1) unstable; urgency=low
+
+ * `copyright' file is generated from COPYING automatically.
+ * Distribution unstable, Section non-free.
+ * Conflicts and Replaces "unzip-crypt".
+ * New upstream release.
+ * First libc6 release.
+ * Added md5sums.
+
+ -- Santiago Vila <sanvila@ctv.es> Fri, 12 Sep 1997 19:16:59 +0200
+
+unzip (5.20-3) unstable; urgency=low
+
+ * Changed priority from `extra' to `optional'.
+ * Changed section from `misc' to `utils'.
+ * Simplified debian/rules a little bit. No debstd yet.
+ * Copied `History.520' as is. Added the symlink changelog -> History.520.
+ * Added ToDo and BUGS to /usr/doc/unzip.
+ * New maintainer.
+
+ -- Santiago Vila <sanvila@ctv.es> Sun, 16 Feb 1997 19:29:13 +0100
+
+unzip (5.20-2) unstable; urgency=low
+
+ * zipgrep manpage is now installed through the unix/Makefile
+ * permissions guaranteed to be set properly for the zipgrep script
+ (did not work for those who compiled from the straight sources.)
+ * removed several superfluous commands from debian/rules.
+ * All changes this revision are courtesy of Santiago Vila.
+
+ -- Stuart Lamble <lamble@yoyo.cc.monash.edu.au> Wed, 8 Jan 1997 18:48:00 +1100
+
+unzip (5.20-1) unstable; urgency=low
+
+ * new upstream version
+ * modified the copyright to include 5.2's COPYING, just in case it's changed.
+ * minor modifications to debian/rules
+ * added zipgrep (from the zip package).
+
+ -- Stuart Lamble <lamble@yoyo.cc.monash.edu.au> Wed, 13 Nov 1996 19:35:24 +1100
+
+unzip (5.12-15) unstable; urgency=low
+
+ * received email from the upstream maintainers: unzip can now go into
+ the distribution proper. Yippee! :-)
+ * added the email in question to the copyright file.
+
+ -- Stuart Lamble <lamble@yoyo.cc.monash.edu.au> Sat, 19 Oct 1996 18:34:21 +1000
+
+unzip (5.12-14) non-free; urgency=low
+
+ * moved to the 2.1.1.0 source format
+ * fixed a typo in the Maintainer field (missing the ">". Oops.)
+
+ -- Stuart Lamble <lamble@yoyo.cc.monash.edu.au> Sun, 1 Sep 1996 07:36:16 +1000
+
+unzip (5.12-13) non-free; urgency=low
+
+ * new maintainer
+ * mods to make the "binary" rule portable to different platforms
+ * uses dpkg-name rather than manual moving
+
+ -- Stuart Lamble <lamble@yoyo.cc.monash.edu.au> Tue, 30 Jul 1996 00:00:00 +0000
+
+unzip (5.12-12) non-free; urgency=low
+
+ * initial release (used 2 to avoid confusion with old unzip)
+
+ -- Carl Streeter <streeter@cae.wisc.edu> Tue, 5 Sep 1995 00:00:00 +0000
diff --git a/data/unzip/debian/compat b/data/unzip/debian/compat
new file mode 100644
index 000000000..ec635144f
--- /dev/null
+++ b/data/unzip/debian/compat
@@ -0,0 +1 @@
+9
diff --git a/data/unzip/debian/control b/data/unzip/debian/control
new file mode 100644
index 000000000..8d1ca2ffc
--- /dev/null
+++ b/data/unzip/debian/control
@@ -0,0 +1,20 @@
+Source: unzip
+Section: utils
+Priority: optional
+Maintainer: Santiago Vila <sanvila@debian.org>
+Standards-Version: 3.9.6
+Build-Depends: debhelper (>= 9), libbz2-dev
+Homepage: http://www.info-zip.org/UnZip.html
+
+Package: unzip
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}
+Suggests: zip
+Multi-Arch: foreign
+Description: De-archiver for .zip files
+ InfoZIP's unzip program. With the exception of multi-volume archives
+ (ie, .ZIP files that are split across several disks using PKZIP's /& option),
+ this can handle any file produced either by PKZIP, or the corresponding
+ InfoZIP zip program.
+ .
+ This version supports encryption.
diff --git a/data/unzip/debian/copyright b/data/unzip/debian/copyright
new file mode 100644
index 000000000..f7172d2d6
--- /dev/null
+++ b/data/unzip/debian/copyright
@@ -0,0 +1,76 @@
+This is the Debian prepackaged version of "unzip", Info-Zip's fast,
+portable, zipfile decompression utility.
+
+This package is currently maintained by Santiago Vila <sanvila@debian.org>
+and built from sources obtained from:
+
+ftp://ftp.info-zip.org/pub/infozip/src/unzip60.tgz
+
+The changes were fairly minimal, and consisted solely of adding
+various debian/* files to the distribution, plus several miscellaneous
+fixes as reflected in the Debian changelog.
+
+Copyright and license:
+
+This is version 2009-Jan-02 of the Info-ZIP license.
+The definitive version of this document should be available at
+ftp://ftp.info-zip.org/pub/infozip/license.html indefinitely and
+a copy at http://www.info-zip.org/pub/infozip/license.html.
+
+
+Copyright (c) 1990-2009 Info-ZIP. All rights reserved.
+
+For the purposes of this copyright and license, "Info-ZIP" is defined as
+the following set of individuals:
+
+ Mark Adler, John Bush, Karl Davis, Harald Denker, Jean-Michel Dubois,
+ Jean-loup Gailly, Hunter Goatley, Ed Gordon, Ian Gorman, Chris Herborth,
+ Dirk Haase, Greg Hartwig, Robert Heath, Jonathan Hudson, Paul Kienitz,
+ David Kirschbaum, Johnny Lee, Onno van der Linden, Igor Mandrichenko,
+ Steve P. Miller, Sergio Monesi, Keith Owens, George Petrov, Greg Roelofs,
+ Kai Uwe Rommel, Steve Salisbury, Dave Smith, Steven M. Schweda,
+ Christian Spieler, Cosmin Truta, Antoine Verheijen, Paul von Behren,
+ Rich Wales, Mike White.
+
+This software is provided "as is," without warranty of any kind, express
+or implied. In no event shall Info-ZIP or its contributors be held liable
+for any direct, indirect, incidental, special or consequential damages
+arising out of the use of or inability to use this software.
+
+Permission is granted to anyone to use this software for any purpose,
+including commercial applications, and to alter it and redistribute it
+freely, subject to the above disclaimer and the following restrictions:
+
+ 1. Redistributions of source code (in whole or in part) must retain
+ the above copyright notice, definition, disclaimer, and this list
+ of conditions.
+
+ 2. Redistributions in binary form (compiled executables and libraries)
+ must reproduce the above copyright notice, definition, disclaimer,
+ and this list of conditions in documentation and/or other materials
+ provided with the distribution. Additional documentation is not needed
+ for executables where a command line license option provides these and
+ a note regarding this option is in the executable's startup banner. The
+ sole exception to this condition is redistribution of a standard
+ UnZipSFX binary (including SFXWiz) as part of a self-extracting archive;
+ that is permitted without inclusion of this license, as long as the
+ normal SFX banner has not been removed from the binary or disabled.
+
+ 3. Altered versions--including, but not limited to, ports to new operating
+ systems, existing ports with new graphical interfaces, versions with
+ modified or added functionality, and dynamic, shared, or static library
+ versions not from Info-ZIP--must be plainly marked as such and must not
+ be misrepresented as being the original source or, if binaries,
+ compiled from the original source. Such altered versions also must not
+ be misrepresented as being Info-ZIP releases--including, but not
+ limited to, labeling of the altered versions with the names "Info-ZIP"
+ (or any variation thereof, including, but not limited to, different
+ capitalizations), "Pocket UnZip," "WiZ" or "MacZip" without the
+ explicit permission of Info-ZIP. Such altered versions are further
+ prohibited from misrepresentative use of the Zip-Bugs or Info-ZIP
+ e-mail addresses or the Info-ZIP URL(s), such as to imply Info-ZIP
+ will provide support for the altered versions.
+
+ 4. Info-ZIP retains the right to use the names "Info-ZIP," "Zip," "UnZip,"
+ "UnZipSFX," "WiZ," "Pocket UnZip," "Pocket Zip," and "MacZip" for its
+ own source and binary releases.
diff --git a/data/unzip/debian/mime b/data/unzip/debian/mime
new file mode 100644
index 000000000..6df5691ee
--- /dev/null
+++ b/data/unzip/debian/mime
@@ -0,0 +1 @@
+application/zip; unzip -l %s; nametemplate=%s.zip; copiousoutput; priority=3
diff --git a/data/unzip/debian/patches/01-manpages-in-section-1-not-in-section-1l.patch b/data/unzip/debian/patches/01-manpages-in-section-1-not-in-section-1l.patch
new file mode 100644
index 000000000..2499ed9f8
--- /dev/null
+++ b/data/unzip/debian/patches/01-manpages-in-section-1-not-in-section-1l.patch
@@ -0,0 +1,295 @@
+From: Santiago Vila <sanvila@debian.org>
+Subject: In Debian, manpages are in section 1, not in section 1L
+X-Debian-version: 5.52-3
+
+--- a/man/funzip.1
++++ b/man/funzip.1
+@@ -20,7 +20,7 @@
+ .in -4n
+ ..
+ .\" =========================================================================
+-.TH FUNZIP 1L "20 April 2009 (v3.95)" "Info-ZIP"
++.TH FUNZIP 1 "20 April 2009 (v3.95)" "Info-ZIP"
+ .SH NAME
+ funzip \- filter for extracting from a ZIP archive in a pipe
+ .PD
+@@ -78,7 +78,7 @@
+ .EE
+ .PP
+ To use \fIzip\fP and \fIfunzip\fP in place of \fIcompress\fP(1) and
+-\fIzcat\fP(1) (or \fIgzip\fP(1L) and \fIgzcat\fP(1L)) for tape backups:
++\fIzcat\fP(1) (or \fIgzip\fP(1) and \fIgzcat\fP(1)) for tape backups:
+ .PP
+ .EX
+ tar cf \- . | zip \-7 | dd of=/dev/nrst0 obs=8k
+@@ -108,8 +108,8 @@
+ .PD
+ .\" =========================================================================
+ .SH "SEE ALSO"
+-\fIgzip\fP(1L), \fIunzip\fP(1L), \fIunzipsfx\fP(1L), \fIzip\fP(1L),
+-\fIzipcloak\fP(1L), \fIzipinfo\fP(1L), \fIzipnote\fP(1L), \fIzipsplit\fP(1L)
++\fIgzip\fP(1), \fIunzip\fP(1), \fIunzipsfx\fP(1), \fIzip\fP(1),
++\fIzipcloak\fP(1), \fIzipinfo\fP(1), \fIzipnote\fP(1), \fIzipsplit\fP(1)
+ .PD
+ .\" =========================================================================
+ .SH URL
+--- a/man/unzip.1
++++ b/man/unzip.1
+@@ -20,7 +20,7 @@
+ .in -4n
+ ..
+ .\" =========================================================================
+-.TH UNZIP 1L "20 April 2009 (v6.0)" "Info-ZIP"
++.TH UNZIP 1 "20 April 2009 (v6.0)" "Info-ZIP"
+ .SH NAME
+ unzip \- list, test and extract compressed files in a ZIP archive
+ .PD
+@@ -34,7 +34,7 @@
+ \fIunzip\fP will list, test, or extract files from a ZIP archive, commonly
+ found on MS-DOS systems. The default behavior (with no options) is to extract
+ into the current directory (and subdirectories below it) all files from the
+-specified ZIP archive. A companion program, \fIzip\fP(1L), creates ZIP
++specified ZIP archive. A companion program, \fIzip\fP(1), creates ZIP
+ archives; both programs are compatible with archives created by PKWARE's
+ \fIPKZIP\fP and \fIPKUNZIP\fP for MS-DOS, but in many cases the program
+ options or default behaviors differ.
+@@ -105,8 +105,8 @@
+ list of all possible flags. The exhaustive list follows:
+ .TP
+ .B \-Z
+-\fIzipinfo\fP(1L) mode. If the first option on the command line is \fB\-Z\fP,
+-the remaining options are taken to be \fIzipinfo\fP(1L) options. See the
++\fIzipinfo\fP(1) mode. If the first option on the command line is \fB\-Z\fP,
++the remaining options are taken to be \fIzipinfo\fP(1) options. See the
+ appropriate manual page for a description of these options.
+ .TP
+ .B \-A
+@@ -178,7 +178,7 @@
+ compressed size and compression ratio figures are independent of the entry's
+ encryption status and show the correct compression performance. (The complete
+ size of the encrypted compressed data stream for zipfile entries is reported
+-by the more verbose \fIzipinfo\fP(1L) reports, see the separate manual.)
++by the more verbose \fIzipinfo\fP(1) reports, see the separate manual.)
+ When no zipfile is specified (that is, the complete command is simply
+ ``\fCunzip \-v\fR''), a diagnostic screen is printed. In addition to
+ the normal header with release date and version, \fIunzip\fP lists the
+@@ -379,8 +379,8 @@
+ .TP
+ .B \-N
+ [Amiga] extract file comments as Amiga filenotes. File comments are created
+-with the \-c option of \fIzip\fP(1L), or with the \-N option of the Amiga port
+-of \fIzip\fP(1L), which stores filenotes as comments.
++with the \-c option of \fIzip\fP(1), or with the \-N option of the Amiga port
++of \fIzip\fP(1), which stores filenotes as comments.
+ .TP
+ .B \-o
+ overwrite existing files without prompting. This is a dangerous option, so
+@@ -598,7 +598,7 @@
+ As suggested by the examples above, the default variable names are UNZIP_OPTS
+ for VMS (where the symbol used to install \fIunzip\fP as a foreign command
+ would otherwise be confused with the environment variable), and UNZIP
+-for all other operating systems. For compatibility with \fIzip\fP(1L),
++for all other operating systems. For compatibility with \fIzip\fP(1),
+ UNZIPOPT is also accepted (don't ask). If both UNZIP and UNZIPOPT
+ are defined, however, UNZIP takes precedence. \fIunzip\fP's diagnostic
+ option (\fB\-v\fP with no zipfile name) can be used to check the values
+@@ -648,8 +648,8 @@
+ a password is not known, entering a null password (that is, just a carriage
+ return or ``Enter'') is taken as a signal to skip all further prompting.
+ Only unencrypted files in the archive(s) will thereafter be extracted. (In
+-fact, that's not quite true; older versions of \fIzip\fP(1L) and
+-\fIzipcloak\fP(1L) allowed null passwords, so \fIunzip\fP checks each encrypted
++fact, that's not quite true; older versions of \fIzip\fP(1) and
++\fIzipcloak\fP(1) allowed null passwords, so \fIunzip\fP checks each encrypted
+ file to see if the null password works. This may result in ``false positives''
+ and extraction errors, as noted above.)
+ .PP
+@@ -943,8 +943,8 @@
+ .PD
+ .\" =========================================================================
+ .SH "SEE ALSO"
+-\fIfunzip\fP(1L), \fIzip\fP(1L), \fIzipcloak\fP(1L), \fIzipgrep\fP(1L),
+-\fIzipinfo\fP(1L), \fIzipnote\fP(1L), \fIzipsplit\fP(1L)
++\fIfunzip\fP(1), \fIzip\fP(1), \fIzipcloak\fP(1), \fIzipgrep\fP(1),
++\fIzipinfo\fP(1), \fIzipnote\fP(1), \fIzipsplit\fP(1)
+ .PD
+ .\" =========================================================================
+ .SH URL
+--- a/man/unzipsfx.1
++++ b/man/unzipsfx.1
+@@ -20,7 +20,7 @@
+ .in -4n
+ ..
+ .\" =========================================================================
+-.TH UNZIPSFX 1L "20 April 2009 (v6.0)" "Info-ZIP"
++.TH UNZIPSFX 1 "20 April 2009 (v6.0)" "Info-ZIP"
+ .SH NAME
+ unzipsfx \- self-extracting stub for prepending to ZIP archives
+ .PD
+@@ -30,7 +30,7 @@
+ .PD
+ .\" =========================================================================
+ .SH DESCRIPTION
+-\fIunzipsfx\fP is a modified version of \fIunzip\fP(1L) designed to be
++\fIunzipsfx\fP is a modified version of \fIunzip\fP(1) designed to be
+ prepended to existing ZIP archives in order to form self-extracting archives.
+ Instead of taking its first non-flag argument to be the zipfile(s) to be
+ extracted, \fIunzipsfx\fP seeks itself under the name by which it was invoked
+@@ -109,7 +109,7 @@
+ .PD
+ .\" =========================================================================
+ .SH OPTIONS
+-\fIunzipsfx\fP supports the following \fIunzip\fP(1L) options: \fB\-c\fP
++\fIunzipsfx\fP supports the following \fIunzip\fP(1) options: \fB\-c\fP
+ and \fB\-p\fP (extract to standard output/screen), \fB\-f\fP and \fB\-u\fP
+ (freshen and update existing files upon extraction), \fB\-t\fP (test
+ archive) and \fB\-z\fP (print archive comment). All normal listing options
+@@ -118,11 +118,11 @@
+ those creating self-extracting archives may wish to include a short listing
+ in the zipfile comment.
+ .PP
+-See \fIunzip\fP(1L) for a more complete description of these options.
++See \fIunzip\fP(1) for a more complete description of these options.
+ .PD
+ .\" =========================================================================
+ .SH MODIFIERS
+-\fIunzipsfx\fP currently supports all \fIunzip\fP(1L) modifiers: \fB\-a\fP
++\fIunzipsfx\fP currently supports all \fIunzip\fP(1) modifiers: \fB\-a\fP
+ (convert text files), \fB\-n\fP (never overwrite), \fB\-o\fP (overwrite
+ without prompting), \fB\-q\fP (operate quietly), \fB\-C\fP (match names
+ case-insensitively), \fB\-L\fP (convert uppercase-OS names to lowercase),
+@@ -137,18 +137,18 @@
+ of course continue to be supported since the zipfile format implies ASCII
+ storage of text files.)
+ .PP
+-See \fIunzip\fP(1L) for a more complete description of these modifiers.
++See \fIunzip\fP(1) for a more complete description of these modifiers.
+ .PD
+ .\" =========================================================================
+ .SH "ENVIRONMENT OPTIONS"
+-\fIunzipsfx\fP uses the same environment variables as \fIunzip\fP(1L) does,
++\fIunzipsfx\fP uses the same environment variables as \fIunzip\fP(1) does,
+ although this is likely to be an issue only for the person creating and
+-testing the self-extracting archive. See \fIunzip\fP(1L) for details.
++testing the self-extracting archive. See \fIunzip\fP(1) for details.
+ .PD
+ .\" =========================================================================
+ .SH DECRYPTION
+-Decryption is supported exactly as in \fIunzip\fP(1L); that is, interactively
+-with a non-echoing prompt for the password(s). See \fIunzip\fP(1L) for
++Decryption is supported exactly as in \fIunzip\fP(1); that is, interactively
++with a non-echoing prompt for the password(s). See \fIunzip\fP(1) for
+ details. Once again, note that if the archive has no encrypted files there
+ is no reason to use a version of \fIunzipsfx\fP with decryption support;
+ that only adds to the size of the archive.
+@@ -286,7 +286,7 @@
+ from anywhere in the user's path. The situation is not known for AmigaDOS,
+ Atari TOS, MacOS, etc.
+ .PP
+-As noted above, a number of the normal \fIunzip\fP(1L) functions have
++As noted above, a number of the normal \fIunzip\fP(1) functions have
+ been removed in order to make \fIunzipsfx\fP smaller: usage and diagnostic
+ info, listing functions and extraction to other directories. Also, only
+ stored and deflated files are supported. The latter limitation is mainly
+@@ -303,17 +303,17 @@
+ defined as a ``debug hunk.'') There may be compatibility problems between
+ the ROM levels of older Amigas and newer ones.
+ .PP
+-All current bugs in \fIunzip\fP(1L) exist in \fIunzipsfx\fP as well.
++All current bugs in \fIunzip\fP(1) exist in \fIunzipsfx\fP as well.
+ .PD
+ .\" =========================================================================
+ .SH DIAGNOSTICS
+ \fIunzipsfx\fP's exit status (error level) is identical to that of
+-\fIunzip\fP(1L); see the corresponding man page.
++\fIunzip\fP(1); see the corresponding man page.
+ .PD
+ .\" =========================================================================
+ .SH "SEE ALSO"
+-\fIfunzip\fP(1L), \fIunzip\fP(1L), \fIzip\fP(1L), \fIzipcloak\fP(1L),
+-\fIzipgrep\fP(1L), \fIzipinfo\fP(1L), \fIzipnote\fP(1L), \fIzipsplit\fP(1L)
++\fIfunzip\fP(1), \fIunzip\fP(1), \fIzip\fP(1), \fIzipcloak\fP(1),
++\fIzipgrep\fP(1), \fIzipinfo\fP(1), \fIzipnote\fP(1), \fIzipsplit\fP(1)
+ .PD
+ .PD
+ .\" =========================================================================
+@@ -330,7 +330,7 @@
+ .\" =========================================================================
+ .SH AUTHORS
+ Greg Roelofs was responsible for the basic modifications to UnZip necessary
+-to create UnZipSFX. See \fIunzip\fP(1L) for the current list of Zip-Bugs
++to create UnZipSFX. See \fIunzip\fP(1) for the current list of Zip-Bugs
+ authors, or the file CONTRIBS in the UnZip source distribution for the
+ full list of Info-ZIP contributors.
+ .PD
+--- a/man/zipgrep.1
++++ b/man/zipgrep.1
+@@ -8,7 +8,7 @@
+ .\" zipgrep.1 by Greg Roelofs.
+ .\"
+ .\" =========================================================================
+-.TH ZIPGREP 1L "20 April 2009" "Info-ZIP"
++.TH ZIPGREP 1 "20 April 2009" "Info-ZIP"
+ .SH NAME
+ zipgrep \- search files in a ZIP archive for lines matching a pattern
+ .PD
+@@ -21,7 +21,7 @@
+ .SH DESCRIPTION
+ \fIzipgrep\fP will search files within a ZIP archive for lines matching
+ the given string or pattern. \fIzipgrep\fP is a shell script and requires
+-\fIegrep\fP(1) and \fIunzip\fP(1L) to function. Its output is identical to
++\fIegrep\fP(1) and \fIunzip\fP(1) to function. Its output is identical to
+ that of \fIegrep\fP(1).
+ .PD
+ .\" =========================================================================
+@@ -69,8 +69,8 @@
+ .PD
+ .\" =========================================================================
+ .SH "SEE ALSO"
+-\fIegrep\fP(1), \fIunzip\fP(1L), \fIzip\fP(1L), \fIfunzip\fP(1L),
+-\fIzipcloak\fP(1L), \fIzipinfo\fP(1L), \fIzipnote\fP(1L), \fIzipsplit\fP(1L)
++\fIegrep\fP(1), \fIunzip\fP(1), \fIzip\fP(1), \fIfunzip\fP(1),
++\fIzipcloak\fP(1), \fIzipinfo\fP(1), \fIzipnote\fP(1), \fIzipsplit\fP(1)
+ .PD
+ .\" =========================================================================
+ .SH URL
+--- a/man/zipinfo.1
++++ b/man/zipinfo.1
+@@ -34,7 +34,7 @@
+ .in -4n
+ ..
+ .\" =========================================================================
+-.TH ZIPINFO 1L "20 April 2009 (v3.0)" "Info-ZIP"
++.TH ZIPINFO 1 "20 April 2009 (v3.0)" "Info-ZIP"
+ .SH NAME
+ zipinfo \- list detailed information about a ZIP archive
+ .PD
+@@ -272,7 +272,7 @@
+ Note that because of limitations in the MS-DOS format used to store file
+ times, the seconds field is always rounded to the nearest even second.
+ For Unix files this is expected to change in the next major releases of
+-\fIzip\fP(1L) and \fIunzip\fP.
++\fIzip\fP(1) and \fIunzip\fP.
+ .PP
+ In addition to individual file information, a default zipfile listing
+ also includes header and trailer lines:
+@@ -361,7 +361,7 @@
+ As suggested above, the default variable names are ZIPINFO_OPTS for VMS
+ (where the symbol used to install \fIzipinfo\fP as a foreign command
+ would otherwise be confused with the environment variable), and ZIPINFO
+-for all other operating systems. For compatibility with \fIzip\fP(1L),
++for all other operating systems. For compatibility with \fIzip\fP(1),
+ ZIPINFOOPT is also accepted (don't ask). If both ZIPINFO and ZIPINFOOPT
+ are defined, however, ZIPINFO takes precedence. \fIunzip\fP's diagnostic
+ option (\fB\-v\fP with no zipfile name) can be used to check the values
+@@ -496,8 +496,8 @@
+ .PP
+ .\" =========================================================================
+ .SH "SEE ALSO"
+-\fIls\fP(1), \fIfunzip\fP(1L), \fIunzip\fP(1L), \fIunzipsfx\fP(1L),
+-\fIzip\fP(1L), \fIzipcloak\fP(1L), \fIzipnote\fP(1L), \fIzipsplit\fP(1L)
++\fIls\fP(1), \fIfunzip\fP(1), \fIunzip\fP(1), \fIunzipsfx\fP(1),
++\fIzip\fP(1), \fIzipcloak\fP(1), \fIzipnote\fP(1), \fIzipsplit\fP(1)
+ .PD
+ .\" =========================================================================
+ .SH URL
diff --git a/data/unzip/debian/patches/02-this-is-debian-unzip.patch b/data/unzip/debian/patches/02-this-is-debian-unzip.patch
new file mode 100644
index 000000000..7f0465120
--- /dev/null
+++ b/data/unzip/debian/patches/02-this-is-debian-unzip.patch
@@ -0,0 +1,16 @@
+From: Santiago Vila <sanvila@debian.org>
+Subject: "Branding patch": UnZip by Debian. Original by Info-ZIP.
+X-Debian-version: 5.52-5
+
+--- a/unzip.c
++++ b/unzip.c
+@@ -570,8 +570,7 @@
+ #else /* !VMS */
+ # ifdef COPYRIGHT_CLEAN
+ static ZCONST char Far UnzipUsageLine1[] = "\
+-UnZip %d.%d%d%s of %s, by Info-ZIP. Maintained by C. Spieler. Send\n\
+-bug reports using http://www.info-zip.org/zip-bug.html; see README for details.\
++UnZip %d.%d%d%s of %s, by Debian. Original by Info-ZIP.\
+ \n\n";
+ # else
+ static ZCONST char Far UnzipUsageLine1[] = "\
diff --git a/data/unzip/debian/patches/03-include-unistd-for-kfreebsd.patch b/data/unzip/debian/patches/03-include-unistd-for-kfreebsd.patch
new file mode 100644
index 000000000..6f06191ff
--- /dev/null
+++ b/data/unzip/debian/patches/03-include-unistd-for-kfreebsd.patch
@@ -0,0 +1,15 @@
+From: Aurelien Jarno <aurel32@debian.org>
+Subject: #include <unistd.h> for kFreeBSD
+Bug-Debian: https://bugs.debian.org/340693
+X-Debian-version: 5.52-8
+
+--- a/unix/unxcfg.h
++++ b/unix/unxcfg.h
+@@ -52,6 +52,7 @@
+
+ #include <sys/types.h> /* off_t, time_t, dev_t, ... */
+ #include <sys/stat.h>
++#include <unistd.h>
+
+ #ifdef NO_OFF_T
+ typedef long zoff_t;
diff --git a/data/unzip/debian/patches/04-handle-pkware-verification-bit.patch b/data/unzip/debian/patches/04-handle-pkware-verification-bit.patch
new file mode 100644
index 000000000..6bda15a56
--- /dev/null
+++ b/data/unzip/debian/patches/04-handle-pkware-verification-bit.patch
@@ -0,0 +1,21 @@
+From: "Steven M. Schweda" <sms@antinode.info>
+Subject: Handle the PKWare verification bit of internal attributes
+Bug-Debian: https://bugs.debian.org/630078
+X-Debian-version: 6.0-5
+
+--- a/process.c
++++ b/process.c
+@@ -1729,6 +1729,13 @@
+ else if (uO.L_flag > 1) /* let -LL force lower case for all names */
+ G.pInfo->lcflag = 1;
+
++ /* Handle the PKWare verification bit, bit 2 (0x0004) of internal
++ attributes. If this is set, then a verification checksum is in the
++ first 3 bytes of the external attributes. In this case all we can use
++ for setting file attributes is the last external attributes byte. */
++ if (G.crec.internal_file_attributes & 0x0004)
++ G.crec.external_file_attributes &= (ulg)0xff;
++
+ /* do Amigas (AMIGA_) also have volume labels? */
+ if (IS_VOLID(G.crec.external_file_attributes) &&
+ (G.pInfo->hostnum == FS_FAT_ || G.pInfo->hostnum == FS_HPFS_ ||
diff --git a/data/unzip/debian/patches/05-fix-uid-gid-handling.patch b/data/unzip/debian/patches/05-fix-uid-gid-handling.patch
new file mode 100644
index 000000000..ee9b3ddc6
--- /dev/null
+++ b/data/unzip/debian/patches/05-fix-uid-gid-handling.patch
@@ -0,0 +1,29 @@
+From: "Steven M. Schweda" <sms@antinode.info>
+Subject: Restore uid and gid information when requested
+Bug-Debian: https://bugs.debian.org/689212
+X-Debian-version: 6.0-8
+
+--- a/process.c
++++ b/process.c
+@@ -2904,7 +2904,7 @@
+ #ifdef IZ_HAVE_UXUIDGID
+ if (eb_len >= EB_UX3_MINLEN
+ && z_uidgid != NULL
+- && (*((EB_HEADSIZE + 0) + ef_buf) == 1)
++ && (*((EB_HEADSIZE + 0) + ef_buf) == 1))
+ /* only know about version 1 */
+ {
+ uch uid_size;
+@@ -2916,10 +2916,10 @@
+ flags &= ~0x0ff; /* ignore any previous UNIX field */
+
+ if ( read_ux3_value((EB_HEADSIZE + 2) + ef_buf,
+- uid_size, z_uidgid[0])
++ uid_size, &z_uidgid[0])
+ &&
+ read_ux3_value((EB_HEADSIZE + uid_size + 3) + ef_buf,
+- gid_size, z_uidgid[1]) )
++ gid_size, &z_uidgid[1]) )
+ {
+ flags |= EB_UX2_VALID; /* signal success */
+ }
diff --git a/data/unzip/debian/patches/06-initialize-the-symlink-flag.patch b/data/unzip/debian/patches/06-initialize-the-symlink-flag.patch
new file mode 100644
index 000000000..11fa0d9f9
--- /dev/null
+++ b/data/unzip/debian/patches/06-initialize-the-symlink-flag.patch
@@ -0,0 +1,20 @@
+From: Andreas Schwab <schwab@linux-m68k.org>
+Subject: Initialize the symlink flag
+Bug-Debian: https://bugs.debian.org/717029
+X-Debian-version: 6.0-10
+
+--- a/process.c
++++ b/process.c
+@@ -1758,6 +1758,12 @@
+ = (G.crec.general_purpose_bit_flag & (1 << 11)) == (1 << 11);
+ #endif
+
++#ifdef SYMLINKS
++ /* Initialize the symlink flag, may be set by the platform-specific
++ mapattr function. */
++ G.pInfo->symlink = 0;
++#endif
++
+ return PK_COOL;
+
+ } /* end function process_cdir_file_hdr() */
diff --git a/data/unzip/debian/patches/07-increase-size-of-cfactorstr.patch b/data/unzip/debian/patches/07-increase-size-of-cfactorstr.patch
new file mode 100644
index 000000000..e2d8926f2
--- /dev/null
+++ b/data/unzip/debian/patches/07-increase-size-of-cfactorstr.patch
@@ -0,0 +1,16 @@
+From: "Steven M. Schweda" <sms@antinode.info>
+Subject: Increase size of cfactorstr array to avoid buffer overflow
+Bug-Debian: https://bugs.debian.org/741384
+X-Debian-version: 6.0-11
+
+--- a/list.c
++++ b/list.c
+@@ -97,7 +97,7 @@
+ {
+ int do_this_file=FALSE, cfactor, error, error_in_archive=PK_COOL;
+ #ifndef WINDLL
+- char sgn, cfactorstr[10];
++ char sgn, cfactorstr[12];
+ int longhdr=(uO.vflag>1);
+ #endif
+ int date_format;
diff --git a/data/unzip/debian/patches/08-allow-greater-hostver-values.patch b/data/unzip/debian/patches/08-allow-greater-hostver-values.patch
new file mode 100644
index 000000000..3460787b8
--- /dev/null
+++ b/data/unzip/debian/patches/08-allow-greater-hostver-values.patch
@@ -0,0 +1,14 @@
+From: Santiago Vila <sanvila@debian.org>
+Subject: zipinfo.c: Do not crash when hostver byte is >= 100
+
+--- a/zipinfo.c
++++ b/zipinfo.c
+@@ -2114,7 +2114,7 @@
+ else
+ attribs[9] = (xattr & UNX_ISVTX)? 'T' : '-'; /* T==undefined */
+
+- sprintf(&attribs[12], "%u.%u", hostver/10, hostver%10);
++ sprintf(&attribs[11], "%2u.%u", hostver/10, hostver%10);
+ break;
+
+ } /* end switch (hostnum: external attributes format) */
diff --git a/data/unzip/debian/patches/09-cve-2014-8139-crc-overflow.patch b/data/unzip/debian/patches/09-cve-2014-8139-crc-overflow.patch
new file mode 100644
index 000000000..3b49472e1
--- /dev/null
+++ b/data/unzip/debian/patches/09-cve-2014-8139-crc-overflow.patch
@@ -0,0 +1,53 @@
+From: "Steven M. Schweda" <sms@antinode.info>
+Subject: Fix CVE-2014-8139: CRC32 verification heap-based overflow
+Bug-Debian: https://bugs.debian.org/773722
+
+--- a/extract.c
++++ b/extract.c
+@@ -1,5 +1,5 @@
+ /*
+- Copyright (c) 1990-2009 Info-ZIP. All rights reserved.
++ Copyright (c) 1990-2014 Info-ZIP. All rights reserved.
+
+ See the accompanying file LICENSE, version 2009-Jan-02 or later
+ (the contents of which are also included in unzip.h) for terms of use.
+@@ -298,6 +298,8 @@
+ #ifndef SFX
+ static ZCONST char Far InconsistEFlength[] = "bad extra-field entry:\n \
+ EF block length (%u bytes) exceeds remaining EF data (%u bytes)\n";
++ static ZCONST char Far TooSmallEBlength[] = "bad extra-field entry:\n \
++ EF block length (%u bytes) invalid (< %d)\n";
+ static ZCONST char Far InvalidComprDataEAs[] =
+ " invalid compressed data for EAs\n";
+ # if (defined(WIN32) && defined(NTSD_EAS))
+@@ -2023,7 +2025,8 @@
+ ebID = makeword(ef);
+ ebLen = (unsigned)makeword(ef+EB_LEN);
+
+- if (ebLen > (ef_len - EB_HEADSIZE)) {
++ if (ebLen > (ef_len - EB_HEADSIZE))
++ {
+ /* Discovered some extra field inconsistency! */
+ if (uO.qflag)
+ Info(slide, 1, ((char *)slide, "%-22s ",
+@@ -2158,11 +2161,19 @@
+ }
+ break;
+ case EF_PKVMS:
+- if (makelong(ef+EB_HEADSIZE) !=
++ if (ebLen < 4)
++ {
++ Info(slide, 1,
++ ((char *)slide, LoadFarString(TooSmallEBlength),
++ ebLen, 4));
++ }
++ else if (makelong(ef+EB_HEADSIZE) !=
+ crc32(CRCVAL_INITIAL, ef+(EB_HEADSIZE+4),
+ (extent)(ebLen-4)))
++ {
+ Info(slide, 1, ((char *)slide,
+ LoadFarString(BadCRC_EAs)));
++ }
+ break;
+ case EF_PKW32:
+ case EF_PKUNIX:
diff --git a/data/unzip/debian/patches/10-cve-2014-8140-test-compr-eb.patch b/data/unzip/debian/patches/10-cve-2014-8140-test-compr-eb.patch
new file mode 100644
index 000000000..ad74239eb
--- /dev/null
+++ b/data/unzip/debian/patches/10-cve-2014-8140-test-compr-eb.patch
@@ -0,0 +1,27 @@
+From: "Steven M. Schweda" <sms@antinode.info>
+Subject: Fix CVE-2014-8140: out-of-bounds write issue in test_compr_eb()
+Bug-Debian: https://bugs.debian.org/773722
+
+--- a/extract.c
++++ b/extract.c
+@@ -2232,10 +2232,17 @@
+ if (compr_offset < 4) /* field is not compressed: */
+ return PK_OK; /* do nothing and signal OK */
+
++ /* Return no/bad-data error status if any problem is found:
++ * 1. eb_size is too small to hold the uncompressed size
++ * (eb_ucsize). (Else extract eb_ucsize.)
++ * 2. eb_ucsize is zero (invalid). 2014-12-04 SMS.
++ * 3. eb_ucsize is positive, but eb_size is too small to hold
++ * the compressed data header.
++ */
+ if ((eb_size < (EB_UCSIZE_P + 4)) ||
+- ((eb_ucsize = makelong(eb+(EB_HEADSIZE+EB_UCSIZE_P))) > 0L &&
+- eb_size <= (compr_offset + EB_CMPRHEADLEN)))
+- return IZ_EF_TRUNC; /* no compressed data! */
++ ((eb_ucsize = makelong( eb+ (EB_HEADSIZE+ EB_UCSIZE_P))) == 0L) ||
++ ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN))))
++ return IZ_EF_TRUNC; /* no/bad compressed data! */
+
+ if (
+ #ifdef INT_16BIT
diff --git a/data/unzip/debian/patches/11-cve-2014-8141-getzip64data.patch b/data/unzip/debian/patches/11-cve-2014-8141-getzip64data.patch
new file mode 100644
index 000000000..6097966c2
--- /dev/null
+++ b/data/unzip/debian/patches/11-cve-2014-8141-getzip64data.patch
@@ -0,0 +1,137 @@
+From: "Steven M. Schweda" <sms@antinode.info>
+Subject: Fix CVE-2014-8141: out-of-bounds read issues in getZip64Data()
+Bug-Debian: https://bugs.debian.org/773722
+
+--- a/fileio.c
++++ b/fileio.c
+@@ -176,6 +176,8 @@
+ #endif
+ static ZCONST char Far ExtraFieldTooLong[] =
+ "warning: extra field too long (%d). Ignoring...\n";
++static ZCONST char Far ExtraFieldCorrupt[] =
++ "warning: extra field (type: 0x%04x) corrupt. Continuing...\n";
+
+ #ifdef WINDLL
+ static ZCONST char Far DiskFullQuery[] =
+@@ -2295,7 +2297,12 @@
+ if (readbuf(__G__ (char *)G.extra_field, length) == 0)
+ return PK_EOF;
+ /* Looks like here is where extra fields are read */
+- getZip64Data(__G__ G.extra_field, length);
++ if (getZip64Data(__G__ G.extra_field, length) != PK_COOL)
++ {
++ Info(slide, 0x401, ((char *)slide,
++ LoadFarString( ExtraFieldCorrupt), EF_PKSZ64));
++ error = PK_WARN;
++ }
+ #ifdef UNICODE_SUPPORT
+ G.unipath_filename = NULL;
+ if (G.UzO.U_flag < 2) {
+--- a/process.c
++++ b/process.c
+@@ -1,5 +1,5 @@
+ /*
+- Copyright (c) 1990-2009 Info-ZIP. All rights reserved.
++ Copyright (c) 1990-2014 Info-ZIP. All rights reserved.
+
+ See the accompanying file LICENSE, version 2009-Jan-02 or later
+ (the contents of which are also included in unzip.h) for terms of use.
+@@ -1901,48 +1901,82 @@
+ and a 4-byte version of disk start number.
+ Sets both local header and central header fields. Not terribly clever,
+ but it means that this procedure is only called in one place.
++
++ 2014-12-05 SMS.
++ Added checks to ensure that enough data are available before calling
++ makeint64() or makelong(). Replaced various sizeof() values with
++ simple ("4" or "8") constants. (The Zip64 structures do not depend
++ on our variable sizes.) Error handling is crude, but we should now
++ stay within the buffer.
+ ---------------------------------------------------------------------------*/
+
++#define Z64FLGS 0xffff
++#define Z64FLGL 0xffffffff
++
+ if (ef_len == 0 || ef_buf == NULL)
+ return PK_COOL;
+
+ Trace((stderr,"\ngetZip64Data: scanning extra field of length %u\n",
+ ef_len));
+
+- while (ef_len >= EB_HEADSIZE) {
++ while (ef_len >= EB_HEADSIZE)
++ {
+ eb_id = makeword(EB_ID + ef_buf);
+ eb_len = makeword(EB_LEN + ef_buf);
+
+- if (eb_len > (ef_len - EB_HEADSIZE)) {
+- /* discovered some extra field inconsistency! */
++ if (eb_len > (ef_len - EB_HEADSIZE))
++ {
++ /* Extra block length exceeds remaining extra field length. */
+ Trace((stderr,
+ "getZip64Data: block length %u > rest ef_size %u\n", eb_len,
+ ef_len - EB_HEADSIZE));
+ break;
+ }
+- if (eb_id == EF_PKSZ64) {
+-
++ if (eb_id == EF_PKSZ64)
++ {
+ int offset = EB_HEADSIZE;
+
+- if (G.crec.ucsize == 0xffffffff || G.lrec.ucsize == 0xffffffff){
+- G.lrec.ucsize = G.crec.ucsize = makeint64(offset + ef_buf);
+- offset += sizeof(G.crec.ucsize);
++ if ((G.crec.ucsize == Z64FLGL) || (G.lrec.ucsize == Z64FLGL))
++ {
++ if (offset+ 8 > ef_len)
++ return PK_ERR;
++
++ G.crec.ucsize = G.lrec.ucsize = makeint64(offset + ef_buf);
++ offset += 8;
+ }
+- if (G.crec.csize == 0xffffffff || G.lrec.csize == 0xffffffff){
+- G.csize = G.lrec.csize = G.crec.csize = makeint64(offset + ef_buf);
+- offset += sizeof(G.crec.csize);
++
++ if ((G.crec.csize == Z64FLGL) || (G.lrec.csize == Z64FLGL))
++ {
++ if (offset+ 8 > ef_len)
++ return PK_ERR;
++
++ G.csize = G.crec.csize = G.lrec.csize = makeint64(offset + ef_buf);
++ offset += 8;
+ }
+- if (G.crec.relative_offset_local_header == 0xffffffff){
++
++ if (G.crec.relative_offset_local_header == Z64FLGL)
++ {
++ if (offset+ 8 > ef_len)
++ return PK_ERR;
++
+ G.crec.relative_offset_local_header = makeint64(offset + ef_buf);
+- offset += sizeof(G.crec.relative_offset_local_header);
++ offset += 8;
+ }
+- if (G.crec.disk_number_start == 0xffff){
++
++ if (G.crec.disk_number_start == Z64FLGS)
++ {
++ if (offset+ 4 > ef_len)
++ return PK_ERR;
++
+ G.crec.disk_number_start = (zuvl_t)makelong(offset + ef_buf);
+- offset += sizeof(G.crec.disk_number_start);
++ offset += 4;
+ }
++#if 0
++ break; /* Expect only one EF_PKSZ64 block. */
++#endif /* 0 */
+ }
+
+- /* Skip this extra field block */
++ /* Skip this extra field block. */
+ ef_buf += (eb_len + EB_HEADSIZE);
+ ef_len -= (eb_len + EB_HEADSIZE);
+ }
diff --git a/data/unzip/debian/patches/12-cve-2014-9636-test-compr-eb.patch b/data/unzip/debian/patches/12-cve-2014-9636-test-compr-eb.patch
new file mode 100644
index 000000000..1f3838498
--- /dev/null
+++ b/data/unzip/debian/patches/12-cve-2014-9636-test-compr-eb.patch
@@ -0,0 +1,40 @@
+From: mancha <mancha1 AT zoho DOT com>
+Date: Wed, 11 Feb 2015
+Subject: Info-ZIP UnZip buffer overflow
+Bug-Debian: https://bugs.debian.org/776589
+
+By carefully crafting a corrupt ZIP archive with "extra fields" that
+purport to have compressed blocks larger than the corresponding
+uncompressed blocks in STORED no-compression mode, an attacker can
+trigger a heap overflow that can result in application crash or
+possibly have other unspecified impact.
+
+This patch ensures that when extra fields use STORED mode, the
+"compressed" and uncompressed block sizes match.
+
+--- a/extract.c
++++ b/extract.c
+@@ -2228,6 +2228,7 @@
+ ulg eb_ucsize;
+ uch *eb_ucptr;
+ int r;
++ ush eb_compr_method;
+
+ if (compr_offset < 4) /* field is not compressed: */
+ return PK_OK; /* do nothing and signal OK */
+@@ -2244,6 +2245,15 @@
+ ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN))))
+ return IZ_EF_TRUNC; /* no/bad compressed data! */
+
++ /* 2015-02-10 Mancha(?), Michal Zalewski, Tomas Hoger, SMS.
++ * For STORE method, compressed and uncompressed sizes must agree.
++ * http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=450
++ */
++ eb_compr_method = makeword( eb + (EB_HEADSIZE + compr_offset));
++ if ((eb_compr_method == STORED) &&
++ (eb_size != compr_offset + EB_CMPRHEADLEN + eb_ucsize))
++ return PK_ERR;
++
+ if (
+ #ifdef INT_16BIT
+ (((ulg)(extent)eb_ucsize) != eb_ucsize) ||
diff --git a/data/unzip/debian/patches/13-remove-build-date.patch b/data/unzip/debian/patches/13-remove-build-date.patch
new file mode 100644
index 000000000..bb60533cb
--- /dev/null
+++ b/data/unzip/debian/patches/13-remove-build-date.patch
@@ -0,0 +1,17 @@
+From: Jérémy Bobbio <lunar@debian.org>
+Subject: Remove build date
+Bug-Debian: https://bugs.debian.org/782851
+ In order to make unzip build reproducibly, we remove the
+ (already optional) build date from the binary.
+
+--- a/unix/unix.c
++++ b/unix/unix.c
+@@ -1705,7 +1705,7 @@
+ #endif /* Sun */
+ #endif /* SGI */
+
+-#ifdef __DATE__
++#if 0
+ " on ", __DATE__
+ #else
+ "", ""
diff --git a/data/unzip/debian/patches/14-cve-2015-7696.patch b/data/unzip/debian/patches/14-cve-2015-7696.patch
new file mode 100644
index 000000000..91482dae0
--- /dev/null
+++ b/data/unzip/debian/patches/14-cve-2015-7696.patch
@@ -0,0 +1,33 @@
+From: Petr Stodulka <pstodulk@redhat.com>
+Date: Mon, 14 Sep 2015 18:23:17 +0200
+Subject: Upstream fix for heap overflow
+Bug-Debian: https://bugs.debian.org/802162
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1260944
+Origin: https://bugzilla.redhat.com/attachment.cgi?id=1073002
+Forwarded: yes
+
+---
+ crypt.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/crypt.c
++++ b/crypt.c
+@@ -465,7 +465,17 @@
+ GLOBAL(pInfo->encrypted) = FALSE;
+ defer_leftover_input(__G);
+ for (n = 0; n < RAND_HEAD_LEN; n++) {
+- b = NEXTBYTE;
++ /* 2012-11-23 SMS. (OUSPG report.)
++ * Quit early if compressed size < HEAD_LEN. The resulting
++ * error message ("unable to get password") could be improved,
++ * but it's better than trying to read nonexistent data, and
++ * then continuing with a negative G.csize. (See
++ * fileio.c:readbyte()).
++ */
++ if ((b = NEXTBYTE) == (ush)EOF)
++ {
++ return PK_ERR;
++ }
+ h[n] = (uch)b;
+ Trace((stdout, " (%02x)", h[n]));
+ }
diff --git a/data/unzip/debian/patches/15-cve-2015-7697.patch b/data/unzip/debian/patches/15-cve-2015-7697.patch
new file mode 100644
index 000000000..782431090
--- /dev/null
+++ b/data/unzip/debian/patches/15-cve-2015-7697.patch
@@ -0,0 +1,26 @@
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Mon, 14 Sep 2015 18:24:56 +0200
+Subject: fix infinite loop when extracting empty bzip2 data
+Bug-Debian: https://bugs.debian.org/802160
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1260944
+Origin: other, https://bugzilla.redhat.com/attachment.cgi?id=1073339
+
+---
+ extract.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/extract.c
++++ b/extract.c
+@@ -2729,6 +2729,12 @@
+ int repeated_buf_err;
+ bz_stream bstrm;
+
++ if (G.incnt <= 0 && G.csize <= 0L) {
++ /* avoid an infinite loop */
++ Trace((stderr, "UZbunzip2() got empty input\n"));
++ return 2;
++ }
++
+ #if (defined(DLL) && !defined(NO_SLIDE_REDIR))
+ if (G.redirect_slide)
+ wsize = G.redirect_size, redirSlide = G.redirect_buffer;
diff --git a/data/unzip/debian/patches/16-fix-integer-underflow-csiz-decrypted.patch b/data/unzip/debian/patches/16-fix-integer-underflow-csiz-decrypted.patch
new file mode 100644
index 000000000..45afbdd68
--- /dev/null
+++ b/data/unzip/debian/patches/16-fix-integer-underflow-csiz-decrypted.patch
@@ -0,0 +1,32 @@
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Tue, 22 Sep 2015 18:52:23 +0200
+Subject: [PATCH] extract: prevent unsigned overflow on invalid input
+Origin: other, https://bugzilla.redhat.com/attachment.cgi?id=1075942
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1260944
+
+Suggested-by: Stefan Cornelius
+---
+ extract.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/extract.c
++++ b/extract.c
+@@ -1257,8 +1257,17 @@
+ if (G.lrec.compression_method == STORED) {
+ zusz_t csiz_decrypted = G.lrec.csize;
+
+- if (G.pInfo->encrypted)
++ if (G.pInfo->encrypted) {
++ if (csiz_decrypted < 12) {
++ /* handle the error now to prevent unsigned overflow */
++ Info(slide, 0x401, ((char *)slide,
++ LoadFarStringSmall(ErrUnzipNoFile),
++ LoadFarString(InvalidComprData),
++ LoadFarStringSmall2(Inflate)));
++ return PK_ERR;
++ }
+ csiz_decrypted -= 12;
++ }
+ if (G.lrec.ucsize != csiz_decrypted) {
+ Info(slide, 0x401, ((char *)slide,
+ LoadFarStringSmall2(WrnStorUCSizCSizDiff),
diff --git a/data/unzip/debian/patches/17-restore-unix-timestamps-accurately.patch b/data/unzip/debian/patches/17-restore-unix-timestamps-accurately.patch
new file mode 100644
index 000000000..2aa9424eb
--- /dev/null
+++ b/data/unzip/debian/patches/17-restore-unix-timestamps-accurately.patch
@@ -0,0 +1,41 @@
+From: "Steven M. Schweda" <sms@antinode.info>
+Subject: Do not ignore extra fields containing Unix Timestamps
+Bug-Debian: https://bugs.debian.org/842993
+X-Debian-version: 6.0-21
+
+--- a/process.c
++++ b/process.c
+@@ -2914,10 +2914,13 @@
+ break;
+
+ case EF_IZUNIX2:
+- if (have_new_type_eb == 0) {
+- flags &= ~0x0ff; /* ignore any previous IZUNIX field */
++ if (have_new_type_eb == 0) { /* (< 1) */
+ have_new_type_eb = 1;
+ }
++ if (have_new_type_eb <= 1) {
++ /* Ignore any prior (EF_IZUNIX/EF_PKUNIX) UID/GID. */
++ flags &= 0x0ff;
++ }
+ #ifdef IZ_HAVE_UXUIDGID
+ if (have_new_type_eb > 1)
+ break; /* IZUNIX3 overrides IZUNIX2 e.f. block ! */
+@@ -2933,6 +2936,8 @@
+ /* new 3rd generation Unix ef */
+ have_new_type_eb = 2;
+
++ /* Ignore any prior EF_IZUNIX/EF_PKUNIX/EF_IZUNIX2 UID/GID. */
++ flags &= 0x0ff;
+ /*
+ Version 1 byte version of this extra field, currently 1
+ UIDSize 1 byte Size of UID field
+@@ -2953,8 +2958,6 @@
+ uid_size = *((EB_HEADSIZE + 1) + ef_buf);
+ gid_size = *((EB_HEADSIZE + uid_size + 2) + ef_buf);
+
+- flags &= ~0x0ff; /* ignore any previous UNIX field */
+-
+ if ( read_ux3_value((EB_HEADSIZE + 2) + ef_buf,
+ uid_size, &z_uidgid[0])
+ &&
diff --git a/data/unzip/debian/patches/18-cve-2014-9913-unzip-buffer-overflow.patch b/data/unzip/debian/patches/18-cve-2014-9913-unzip-buffer-overflow.patch
new file mode 100644
index 000000000..a5675f4fb
--- /dev/null
+++ b/data/unzip/debian/patches/18-cve-2014-9913-unzip-buffer-overflow.patch
@@ -0,0 +1,29 @@
+From: "Steven M. Schweda" <sms@antinode.info>
+Subject: Fix CVE-2014-9913, buffer overflow in unzip
+Bug: https://sourceforge.net/p/infozip/bugs/27/
+Bug-Debian: https://bugs.debian.org/847485
+Bug-Ubuntu: https://launchpad.net/bugs/387350
+X-Debian-version: 6.0-21
+
+--- a/list.c
++++ b/list.c
+@@ -339,7 +339,18 @@
+ G.crec.compression_method == ENHDEFLATED) {
+ methbuf[5] = dtype[(G.crec.general_purpose_bit_flag>>1) & 3];
+ } else if (methnum >= NUM_METHODS) {
+- sprintf(&methbuf[4], "%03u", G.crec.compression_method);
++ /* 2013-02-26 SMS.
++ * http://sourceforge.net/p/infozip/bugs/27/ CVE-2014-9913.
++ * Unexpectedly large compression methods overflow
++ * &methbuf[]. Use the old, three-digit decimal format
++ * for values which fit. Otherwise, sacrifice the
++ * colon, and use four-digit hexadecimal.
++ */
++ if (G.crec.compression_method <= 999) {
++ sprintf( &methbuf[ 4], "%03u", G.crec.compression_method);
++ } else {
++ sprintf( &methbuf[ 3], "%04X", G.crec.compression_method);
++ }
+ }
+
+ #if 0 /* GRR/Euro: add this? */
diff --git a/data/unzip/debian/patches/19-cve-2016-9844-zipinfo-buffer-overflow.patch b/data/unzip/debian/patches/19-cve-2016-9844-zipinfo-buffer-overflow.patch
new file mode 100644
index 000000000..52d07987b
--- /dev/null
+++ b/data/unzip/debian/patches/19-cve-2016-9844-zipinfo-buffer-overflow.patch
@@ -0,0 +1,28 @@
+From: "Steven M. Schweda" <sms@antinode.info>
+Subject: Fix CVE-2016-9844, buffer overflow in zipinfo
+Bug-Debian: https://bugs.debian.org/847486
+Bug-Ubuntu: https://launchpad.net/bugs/1643750
+X-Debian-version: 6.0-21
+
+--- a/zipinfo.c
++++ b/zipinfo.c
+@@ -1921,7 +1921,18 @@
+ ush dnum=(ush)((G.crec.general_purpose_bit_flag>>1) & 3);
+ methbuf[3] = dtype[dnum];
+ } else if (methnum >= NUM_METHODS) { /* unknown */
+- sprintf(&methbuf[1], "%03u", G.crec.compression_method);
++ /* 2016-12-05 SMS.
++ * https://launchpad.net/bugs/1643750
++ * Unexpectedly large compression methods overflow
++ * &methbuf[]. Use the old, three-digit decimal format
++ * for values which fit. Otherwise, sacrifice the "u",
++ * and use four-digit hexadecimal.
++ */
++ if (G.crec.compression_method <= 999) {
++ sprintf( &methbuf[ 1], "%03u", G.crec.compression_method);
++ } else {
++ sprintf( &methbuf[ 0], "%04X", G.crec.compression_method);
++ }
+ }
+
+ for (k = 0; k < 15; ++k)
diff --git a/data/unzip/debian/patches/20-cve-2018-1000035-unzip-buffer-overflow.patch b/data/unzip/debian/patches/20-cve-2018-1000035-unzip-buffer-overflow.patch
new file mode 100644
index 000000000..10ae0302f
--- /dev/null
+++ b/data/unzip/debian/patches/20-cve-2018-1000035-unzip-buffer-overflow.patch
@@ -0,0 +1,35 @@
+From: Karol Babioch <kbabioch@suse.com>
+Subject: Fix buffer overflow in password protected zip archives
+Bug-Debian: https://bugs.debian.org/889838
+Origin: https://bugzilla.novell.com/attachment.cgi?id=759406
+
+--- a/fileio.c
++++ b/fileio.c
+@@ -1582,6 +1582,10 @@
+ int r = IZ_PW_ENTERED;
+ char *m;
+ char *prompt;
++ char *zfnf;
++ char *efnf;
++ size_t zfnfl;
++ int isOverflow;
+
+ #ifndef REENTRANT
+ /* tell picky compilers to shut up about "unused variable" warnings */
+@@ -1590,7 +1594,15 @@
+
+ if (*rcnt == 0) { /* First call for current entry */
+ *rcnt = 2;
+- if ((prompt = (char *)malloc(2*FILNAMSIZ + 15)) != (char *)NULL) {
++ zfnf = FnFilter1(zfn);
++ efnf = FnFilter2(efn);
++ zfnfl = strlen(zfnf);
++ isOverflow = TRUE;
++ if (2*FILNAMSIZ >= zfnfl && (2*FILNAMSIZ - zfnfl) >= strlen(efnf))
++ {
++ isOverflow = FALSE;
++ }
++ if ((isOverflow == FALSE) && ((prompt = (char *)malloc(2*FILNAMSIZ + 15)) != (char *)NULL)) {
+ sprintf(prompt, LoadFarString(PasswPrompt),
+ FnFilter1(zfn), FnFilter2(efn));
+ m = prompt;
diff --git a/data/unzip/debian/patches/series b/data/unzip/debian/patches/series
new file mode 100644
index 000000000..dfc7cc522
--- /dev/null
+++ b/data/unzip/debian/patches/series
@@ -0,0 +1,20 @@
+01-manpages-in-section-1-not-in-section-1l.patch
+02-this-is-debian-unzip.patch
+03-include-unistd-for-kfreebsd.patch
+04-handle-pkware-verification-bit.patch
+05-fix-uid-gid-handling.patch
+06-initialize-the-symlink-flag.patch
+07-increase-size-of-cfactorstr.patch
+08-allow-greater-hostver-values.patch
+09-cve-2014-8139-crc-overflow.patch
+10-cve-2014-8140-test-compr-eb.patch
+11-cve-2014-8141-getzip64data.patch
+12-cve-2014-9636-test-compr-eb.patch
+13-remove-build-date.patch
+14-cve-2015-7696.patch
+15-cve-2015-7697.patch
+16-fix-integer-underflow-csiz-decrypted.patch
+17-restore-unix-timestamps-accurately.patch
+18-cve-2014-9913-unzip-buffer-overflow.patch
+19-cve-2016-9844-zipinfo-buffer-overflow.patch
+20-cve-2018-1000035-unzip-buffer-overflow.patch
diff --git a/data/unzip/debian/postinst b/data/unzip/debian/postinst
new file mode 100644
index 000000000..e232e2601
--- /dev/null
+++ b/data/unzip/debian/postinst
@@ -0,0 +1,5 @@
+#!/bin/sh
+set -e
+if [ "$1" = "configure" ] && [ -x "`which update-mime 2> /dev/null`" ]; then
+ update-mime
+fi
diff --git a/data/unzip/debian/postrm b/data/unzip/debian/postrm
new file mode 100644
index 000000000..86165e3b4
--- /dev/null
+++ b/data/unzip/debian/postrm
@@ -0,0 +1,5 @@
+#!/bin/sh
+set -e
+if which update-mime > /dev/null 2>&1; then
+ update-mime
+fi
diff --git a/data/unzip/debian/rules b/data/unzip/debian/rules
new file mode 100755
index 000000000..1c4a1f4f0
--- /dev/null
+++ b/data/unzip/debian/rules
@@ -0,0 +1,34 @@
+#!/usr/bin/make -f
+
+export DEB_BUILD_MAINT_OPTIONS=hardening=-format
+
+DEB_HOST_GNU_TYPE := $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE)
+CC = $(DEB_HOST_GNU_TYPE)-gcc
+CFLAGS := `dpkg-buildflags --get CFLAGS` -Wall
+LDFLAGS := `dpkg-buildflags --get LDFLAGS`
+CPPFLAGS := `dpkg-buildflags --get CPPFLAGS`
+DEFINES = -DACORN_FTYPE_NFS -DWILD_STOP_AT_DIR -DLARGE_FILE_SUPPORT \
+ -DUNICODE_SUPPORT -DUNICODE_WCHAR -DUTF8_MAYBE_NATIVE -DNO_LCHMOD \
+ -DDATE_FORMAT=DF_YMD -DUSE_BZIP2 -DIZ_HAVE_UXUIDGID -DNOMEMCPY \
+ -DNO_WORKING_ISPRINT
+
+%:
+ dh $@
+
+override_dh_auto_clean:
+ $(MAKE) -f unix/Makefile clean
+
+override_dh_auto_build:
+ $(MAKE) -f unix/Makefile D_USE_BZ2=-DUSE_BZIP2 L_BZ2=-lbz2 \
+ CC="$(CC)" LF2="$(LDFLAGS)" \
+ CF="$(CFLAGS) $(CPPFLAGS) -I. $(DEFINES)" unzips
+
+override_dh_auto_install:
+ $(MAKE) -f unix/Makefile install prefix=`pwd`/debian/tmp/usr
+
+override_dh_strip:
+ dh_strip
+ cd debian/unzip/usr/bin && rm -f zipinfo && ln unzip zipinfo
+
+override_dh_compress:
+ dh_compress -XBUGS -XToDo
diff --git a/data/unzip/debian/source/format b/data/unzip/debian/source/format
new file mode 100644
index 000000000..163aaf8d8
--- /dev/null
+++ b/data/unzip/debian/source/format
@@ -0,0 +1 @@
+3.0 (quilt)
diff --git a/data/unzip/debian/source/lintian-overrides b/data/unzip/debian/source/lintian-overrides
new file mode 100644
index 000000000..251a68652
--- /dev/null
+++ b/data/unzip/debian/source/lintian-overrides
@@ -0,0 +1,2 @@
+# generated from copyright.in at build time
+unzip source: no-debian-copyright
diff --git a/data/unzip/debian/unzip.docs b/data/unzip/debian/unzip.docs
new file mode 100644
index 000000000..7f604e6e0
--- /dev/null
+++ b/data/unzip/debian/unzip.docs
@@ -0,0 +1,3 @@
+BUGS
+History.600
+ToDo
diff --git a/data/unzip/debian/unzip.install b/data/unzip/debian/unzip.install
new file mode 100644
index 000000000..be053882d
--- /dev/null
+++ b/data/unzip/debian/unzip.install
@@ -0,0 +1,2 @@
+usr/bin/*
+usr/man/* usr/share/man
diff --git a/data/unzip/debian/unzip.links b/data/unzip/debian/unzip.links
new file mode 100644
index 000000000..bac398edb
--- /dev/null
+++ b/data/unzip/debian/unzip.links
@@ -0,0 +1 @@
+usr/share/doc/unzip/History.600.gz usr/share/doc/unzip/changelog.gz
diff --git a/data/unzip/make.sh b/data/unzip/make.sh
index 57f85234b..cb67f5243 100644
--- a/data/unzip/make.sh
+++ b/data/unzip/make.sh
@@ -1,4 +1,14 @@
-pkg:setup
+pkg:extract
+cd unzip*
+for patch in $(cat ../debian/patches/series); do
+ patch -p1 < ../debian/patches/${patch}
+done
+pkg:patch
cp unix/Makefile .
-make unzips CC=${PKG_TARG}-gcc CF='-O3 -Wall -I. -DBSD -DUNIX' LF2=
+pkg:make unzips CC=${PKG_TARG}-gcc \
+ CF='-O3 -Wall -I. -DBSD -DUNIX -DACORN_FTYPE_NFS -DWILD_STOP_AT_DIR \
+ -DLARGE_FILE_SUPPORT -DUNICODE_SUPPORT -DUNICODE_WCHAR -DUTF8_MAYBE_NATIVE \
+ -DNO_LCHMOD -DDATE_FORMAT=DF_YMD -DUSE_BZIP2 -DIZ_HAVE_UXUIDGID ' \
+ LF2= L_BZ2=-lbz2
+
pkg:usrbin unzip funzip unzipsfx
diff --git a/data/unzip/timestamp.diff b/data/unzip/timestamp.diff
deleted file mode 100644
index f67747fc2..000000000
--- a/data/unzip/timestamp.diff
+++ /dev/null
@@ -1,246 +0,0 @@
-diff -ur unzip60/consts.h unzip60+iPhone/consts.h
---- unzip60/consts.h 2002-03-23 05:52:48.000000000 -1000
-+++ unzip60+iPhone/consts.h 2018-08-06 11:35:37.000000000 -1000
-@@ -50,5 +50,5 @@
-
- #ifndef SFX
- ZCONST char Far Zipnfo[] = "zipinfo";
-- ZCONST char Far CompiledWith[] = "Compiled with %s%s for %s%s%s%s.\n\n";
-+ ZCONST char Far CompiledWith[] = "Compiled with %s%s for %s%s.\n\n";
- #endif
-diff -ur unzip60/unix/unix.c unzip60+iPhone/unix/unix.c
---- unzip60/unix/unix.c 2009-01-23 13:31:26.000000000 -1000
-+++ unzip60+iPhone/unix/unix.c 2018-08-06 11:43:37.000000000 -1000
-@@ -1517,162 +1517,170 @@
- IZ_OS_NAME,
-
- #if defined(sgi) || defined(__sgi)
-- " (Silicon Graphics IRIX)",
-+ " (Silicon Graphics IRIX)"
- #else
- #ifdef sun
- # ifdef sparc
- # ifdef __SVR4
-- " (Sun SPARC/Solaris)",
-+ " (Sun SPARC/Solaris)"
- # else /* may or may not be SunOS */
-- " (Sun SPARC)",
-+ " (Sun SPARC)"
- # endif
- # else
- # if defined(sun386) || defined(i386)
-- " (Sun 386i)",
-+ " (Sun 386i)"
- # else
- # if defined(mc68020) || defined(__mc68020__)
-- " (Sun 3)",
-+ " (Sun 3)"
- # else /* mc68010 or mc68000: Sun 2 or earlier */
-- " (Sun 2)",
-+ " (Sun 2)"
- # endif
- # endif
- # endif
- #else
- #ifdef __hpux
-- " (HP-UX)",
-+ " (HP-UX)"
- #else
- #ifdef __osf__
-- " (DEC OSF/1)",
-+ " (DEC OSF/1)"
- #else
- #ifdef _AIX
-- " (IBM AIX)",
-+ " (IBM AIX)"
- #else
- #ifdef aiws
-- " (IBM RT/AIX)",
-+ " (IBM RT/AIX)"
- #else
- #if defined(CRAY) || defined(cray)
- # ifdef _UNICOS
-- (sprintf(os_namebuf, " (Cray UNICOS release %d)", _UNICOS), os_namebuf),
-+ (sprintf(os_namebuf, " (Cray UNICOS release %d)", _UNICOS), os_namebuf)
- # else
-- " (Cray UNICOS)",
-+ " (Cray UNICOS)"
- # endif
- #else
- #if defined(uts) || defined(UTS)
-- " (Amdahl UTS)",
-+ " (Amdahl UTS)"
- #else
- #ifdef NeXT
- # ifdef mc68000
-- " (NeXTStep/black)",
-+ " (NeXTStep/black)"
- # else
-- " (NeXTStep for Intel)",
-+ " (NeXTStep for Intel)"
- # endif
- #else /* the next dozen or so are somewhat order-dependent */
- #ifdef LINUX
- # ifdef __ELF__
-- " (Linux ELF)",
-+ " (Linux ELF)"
- # else
-- " (Linux a.out)",
-+ " (Linux a.out)"
- # endif
- #else
- #ifdef MINIX
-- " (Minix)",
-+ " (Minix)"
- #else
- #ifdef M_UNIX
-- " (SCO Unix)",
-+ " (SCO Unix)"
- #else
- #ifdef M_XENIX
-- " (SCO Xenix)",
-+ " (SCO Xenix)"
- #else
- #ifdef __NetBSD__
- # ifdef NetBSD0_8
- (sprintf(os_namebuf, " (NetBSD 0.8%c)", (char)(NetBSD0_8 - 1 + 'A')),
-- os_namebuf),
-+ os_namebuf)
- # else
- # ifdef NetBSD0_9
- (sprintf(os_namebuf, " (NetBSD 0.9%c)", (char)(NetBSD0_9 - 1 + 'A')),
-- os_namebuf),
-+ os_namebuf)
- # else
- # ifdef NetBSD1_0
- (sprintf(os_namebuf, " (NetBSD 1.0%c)", (char)(NetBSD1_0 - 1 + 'A')),
-- os_namebuf),
-+ os_namebuf)
- # else
-- (BSD4_4 == 0.5)? " (NetBSD before 0.9)" : " (NetBSD 1.1 or later)",
-+ (BSD4_4 == 0.5)? " (NetBSD before 0.9)" : " (NetBSD 1.1 or later)"
- # endif
- # endif
- # endif
- #else
- #ifdef __FreeBSD__
-- (BSD4_4 == 0.5)? " (FreeBSD 1.x)" : " (FreeBSD 2.0 or later)",
-+ (BSD4_4 == 0.5)? " (FreeBSD 1.x)" : " (FreeBSD 2.0 or later)"
- #else
- #ifdef __bsdi__
-- (BSD4_4 == 0.5)? " (BSD/386 1.0)" : " (BSD/386 1.1 or later)",
-+ (BSD4_4 == 0.5)? " (BSD/386 1.0)" : " (BSD/386 1.1 or later)"
- #else
- #ifdef __386BSD__
-- (BSD4_4 == 1)? " (386BSD, post-4.4 release)" : " (386BSD)",
-+ (BSD4_4 == 1)? " (386BSD, post-4.4 release)" : " (386BSD)"
- #else
- #ifdef __CYGWIN__
-- " (Cygwin)",
-+ " (Cygwin)"
- #else
- #if defined(i686) || defined(__i686) || defined(__i686__)
-- " (Intel 686)",
-+ " (Intel 686)"
- #else
- #if defined(i586) || defined(__i586) || defined(__i586__)
-- " (Intel 586)",
-+ " (Intel 586)"
- #else
- #if defined(i486) || defined(__i486) || defined(__i486__)
-- " (Intel 486)",
-+ " (Intel 486)"
- #else
- #if defined(i386) || defined(__i386) || defined(__i386__)
-- " (Intel 386)",
-+ " (Intel 386)"
- #else
- #ifdef pyr
-- " (Pyramid)",
-+ " (Pyramid)"
- #else
- #ifdef ultrix
- # ifdef mips
-- " (DEC/MIPS)",
-+ " (DEC/MIPS)"
- # else
- # ifdef vax
-- " (DEC/VAX)",
-+ " (DEC/VAX)"
- # else /* __alpha? */
-- " (DEC/Alpha)",
-+ " (DEC/Alpha)"
- # endif
- # endif
- #else
- #ifdef gould
-- " (Gould)",
-+ " (Gould)"
- #else
- #ifdef MTS
-- " (MTS)",
-+ " (MTS)"
- #else
- #ifdef __convexc__
-- " (Convex)",
-+ " (Convex)"
- #else
- #ifdef __QNX__
-- " (QNX 4)",
-+ " (QNX 4)"
- #else
- #ifdef __QNXNTO__
-- " (QNX Neutrino)",
-+ " (QNX Neutrino)"
- #else
- #ifdef Lynx
-- " (LynxOS)",
-+ " (LynxOS)"
- #else
- #ifdef __APPLE__
- # ifdef __i386__
-- " Mac OS X Intel i32",
-+ " Mac OS X Intel i32"
- # else
- # ifdef __ppc__
-- " Mac OS X PowerPC",
-+ " Mac OS X PowerPC"
- # else
- # ifdef __ppc64__
-- " Mac OS X PowerPC64",
-+ " Mac OS X PowerPC64"
- # else
-- " Mac OS X",
-+# ifdef __arm__
-+ " iPhoneOS ARM"
-+# else
-+# ifdef __arm64__
-+ " iPhoneOS ARM64"
-+# else
-+ " Mac OS X"
-+# endif /* __arm64__ */
-+# endif /* __arm__ */
- # endif /* __ppc64__ */
- # endif /* __ppc__ */
- # endif /* __i386__ */
- #else
-- "",
-+ ""
- #endif /* Apple */
- #endif /* Lynx */
- #endif /* QNX Neutrino */
-@@ -1704,12 +1712,6 @@
- #endif /* HP-UX */
- #endif /* Sun */
- #endif /* SGI */
--
--#ifdef __DATE__
-- " on ", __DATE__
--#else
-- "", ""
--#endif
- );
-
- (*G.message)((zvoid *)&G, slide, (ulg)strlen((char *)slide), 0);
-Only in unzip60+iPhone/unix: unix.c.orig
-Only in unzip60+iPhone/unix: unix.c.rej
diff --git a/data/unzip/unzip_6.0-21+deb9u1.debian.tar.xz b/data/unzip/unzip_6.0-21+deb9u1.debian.tar.xz
new file mode 100644
index 000000000..187a51389
--- /dev/null
+++ b/data/unzip/unzip_6.0-21+deb9u1.debian.tar.xz
Binary files differ