diff options
Diffstat (limited to 'data/unzip/debian/changelog')
-rw-r--r-- | data/unzip/debian/changelog | 467 |
1 files changed, 467 insertions, 0 deletions
diff --git a/data/unzip/debian/changelog b/data/unzip/debian/changelog new file mode 100644 index 000000000..1100fa175 --- /dev/null +++ b/data/unzip/debian/changelog @@ -0,0 +1,467 @@ +unzip (6.0-21+deb9u1) stretch; urgency=medium + + * Fix buffer overflow in password protected ZIP archives. Closes: #889838. + Patch borrowed from SUSE. For reference, this is CVE-2018-1000035. + + -- Santiago Vila <sanvila@debian.org> Wed, 17 Apr 2019 21:23:40 +0200 + +unzip (6.0-21) unstable; urgency=medium + + * Rename all debian/patches/* to have .patch ending. + * Update 12-cve-2014-9636-test-compr-eb.patch to follow revised + patch "unzip-6.0_overflow3.diff" from mancha (patch author). + Update also to follow upstream coding style. + * Drop workaround for gcc optimization bug on ARM (GCC Bug #764732) + in the hope that it's not present anymore in GCC-6. + * Allow source to be cross-built. Closes: #836051. + * Do not ignore Unix Timestamps. Closes: #842993. Patch by the author. + * Fix CVE-2014-9913, buffer overflow in unzip. Closes: #847485. + Patch by the author. + * Fix CVE-2016-9844, buffer overflow in zipinfo. Closes: #847486. + Patch by the author. + + -- Santiago Vila <sanvila@debian.org> Sun, 11 Dec 2016 21:03:30 +0100 + +unzip (6.0-20) unstable; urgency=high + + * Update debian/patches/16-fix-integer-underflow-csiz-decrypted to fix + regression on encrypted 0-byte files. Closes: #804595. + Thanks to Marc Deslauriers for the fix in Ubuntu. + + -- Santiago Vila <sanvila@debian.org> Mon, 09 Nov 2015 22:15:32 +0100 + +unzip (6.0-19) unstable; urgency=medium + + * Fix infinite loop when extracting password-protected archive. + This is CVE-2015-7697. Closes: #802160. + * Fix heap overflow when extracting password-protected archive. + This is CVE-2015-7696. Closes: #802162. + * Fix additional unsigned overflow on invalid input. + * Thanks a lot to Raphaël Hertzog for the squeeze-lts release, + from which this upload is mainly derived. + + -- Santiago Vila <sanvila@debian.org> Thu, 22 Oct 2015 12:12:46 +0200 + +unzip (6.0-18) unstable; urgency=medium + + * Ship a debian/copyright file in source package instead of generating + it a build time. Closes: #795567. + + -- Santiago Vila <sanvila@debian.org> Sun, 16 Aug 2015 23:34:42 +0200 + +unzip (6.0-17) unstable; urgency=medium + + * Switch to dh. + * Remove build date embedded in binary to make the build reproducible. + Thanks to Jérémy Bobbio <lunar@debian.org>. Closes: #782851. + + -- Santiago Vila <sanvila@debian.org> Sun, 17 May 2015 12:41:52 +0200 + +unzip (6.0-16) unstable; urgency=medium + + * Update 09-cve-2014-8139-crc-overflow to fix CVE-2014-8139 + the right way (patch by the author). Closes: #775640. + * Update 10-cve-2014-8140-test-compr-eb to apply cleanly. + * Update 12-cve-2014-9636-test-compr-eb to follow the extract.c + file from the author. + + -- Santiago Vila <sanvila@debian.org> Fri, 30 Jan 2015 22:16:08 +0100 + +unzip (6.0-15) unstable; urgency=medium + + * Fix heap overflow. Ensure that compressed and uncompressed + block sizes match when using STORED method in extract.c. + Patch taken from Ubuntu. Thanks a lot. Closes: #776589. + For reference, this is CVE-2014-9636. + + -- Santiago Vila <sanvila@debian.org> Thu, 29 Jan 2015 18:39:52 +0100 + +unzip (6.0-14) unstable; urgency=medium + + * Drop -O2 optimization on armhf as a workaround for gcc Bug #764732. + Closes: #773785. + + -- Santiago Vila <sanvila@debian.org> Tue, 30 Dec 2014 22:17:12 +0100 + +unzip (6.0-13) unstable; urgency=medium + + * Apply upstream fix for three security bugs. Closes: #773722. + CVE-2014-8139: CRC32 verification heap-based overflow + CVE-2014-8140: out-of-bounds write issue in test_compr_eb() + CVE-2014-8141: out-of-bounds read issues in getZip64Data() + + -- Santiago Vila <sanvila@debian.org> Mon, 22 Dec 2014 19:16:10 +0100 + +unzip (6.0-12) unstable; urgency=medium + + * Fix zipinfo crash where a value <= 25.5 was printed in a buffer + having room only for values < 10.0. The integral part is now printed + at attribs[11] using %2u instead of attribs[12] using %u. + This way the output is the same as before for values < 10. + Authors tell me that the next unzip release will have a fix + like this, at least for the Unix case. Closes: #744212. + + -- Santiago Vila <sanvila@debian.org> Thu, 24 Apr 2014 23:39:38 +0200 + +unzip (6.0-11) unstable; urgency=medium + + * Lowered mime priority to 3, somewhat below 5 which is file-roller + default value. Closes: #727306. + * Increase size of cfactorstr array in list.c to avoid a buffer + overflow problem. Closes: #741384. + + -- Santiago Vila <sanvila@debian.org> Mon, 17 Mar 2014 17:38:50 +0100 + +unzip (6.0-10) unstable; urgency=low + + * Fixed bug "unzip thinks some files are symlinks". Closes: #717029. + Reported by Jeff King. Patch by Andreas Schwab. + * Added recommended targets build-arch and build-indep. + * Dropped obsolete Conflicts and Replaces on unzip-crypt, for which + the last version was a dummy transitional package. + * The copyright file is generated from copyright.in at build time. + Added lintian override for no-debian-copyright. + + -- Santiago Vila <sanvila@debian.org> Mon, 14 Oct 2013 18:48:40 +0200 + +unzip (6.0-9) unstable; urgency=low + + * Added NO_WORKING_ISPRINT to DEFINES so that UTF8 filenames are + displayed correctly. Reported by Slavek Banko. Closes: #682682. + * Use the right strip command when cross-building. Closes: #695141. + + -- Santiago Vila <sanvila@debian.org> Sun, 24 Feb 2013 17:12:00 +0100 + +unzip (6.0-8) unstable; urgency=low + + * Made unzip -X to actually restore uid/gid information. + Closes: #689212. Thanks to Axel Scheepers for the report. + * Disabled memcpy, as it is being used on overlapping buffers, + leading to data corruption. Closes: #694601. + Thanks to M Joonas Pihlaja for the report. + + -- Santiago Vila <sanvila@debian.org> Wed, 28 Nov 2012 12:41:34 +0100 + +unzip (6.0-7) unstable; urgency=low + + * Added Multi-Arch: foreign. Closes: #678812. + + -- Santiago Vila <sanvila@debian.org> Sat, 30 Jun 2012 14:17:42 +0200 + +unzip (6.0-6) unstable; urgency=low + + * Added hardening flags. Closes: #656268. + + -- Santiago Vila <sanvila@debian.org> Sun, 01 Apr 2012 00:01:40 +0200 + +unzip (6.0-5) unstable; urgency=low + + * Handle the PKWare verification bit of internal attributes. + Patch taken from 6.10 beta. Thanks to sms. Closes: #630078. + + -- Santiago Vila <sanvila@debian.org> Fri, 01 Jul 2011 19:06:08 +0200 + +unzip (6.0-4) unstable; urgency=low + + * Added homepage field to control file. + * Switch to 3.0 (quilt) source format. + * Support cross-build. + + -- Santiago Vila <sanvila@debian.org> Sun, 21 Feb 2010 17:01:00 +0100 + +unzip (6.0-3) unstable; urgency=low + + * Added "set -e" to postinst and postrm. + + -- Santiago Vila <sanvila@debian.org> Tue, 09 Feb 2010 23:53:42 +0100 + +unzip (6.0-2) unstable; urgency=low + + * Do not ignore errors from make clean (lintian warning) + * Remove .comment section from executables (lintian warning). + * Added mime stuff so that mutt is able to see the contents of a zipfile + using "unzip -l". Closes: #474538. + + -- Santiago Vila <sanvila@debian.org> Mon, 08 Feb 2010 18:44:00 +0100 + +unzip (6.0-1) unstable; urgency=low + + * New upstream release. Closes: #496989. + * Enabled new Unicode support. Closes: #197427. This may or may not work + for your already created zipfiles, but it's not a bug unless they were + created using the Unicode feature present in zip 3.0. + * Built using DATE_FORMAT=DF_YMD so that unzip -l show dates in ISO format, + as that's the only available one which makes sense. Closes: #312886. + * Enabled new bzip2 support. Closes: #426798. + * Exit code for zipgrep should now be the right one. Closes: #441997. + * The reason why a file may not be created is now shown. Closes: #478791. + * Summary of changes in this version not being the debian/* files: + - Manpages in section 1, not 1L. + - Branding patch. UnZip by Debian. Original by Info-ZIP. + - Always #include <unistd.h>. Debian GNU/kFreeBSD needs it. + + -- Santiago Vila <sanvila@debian.org> Fri, 08 May 2009 20:02:40 +0200 + +unzip (5.52-12) unstable; urgency=medium + + * Fixed stack underflow in unshrink.c. Closes: #454037. + Thanks to Christian Spieler for the patch. + + -- Santiago Vila <sanvila@debian.org> Sat, 26 Jul 2008 16:51:38 +0200 + +unzip (5.52-11) unstable; urgency=high + + * Apply patch from Tavis Ormandy to address invalid free() calls in + the inflate_dynamic() function (CVE-2008-0888). + + -- Santiago Vila <sanvila@debian.org> Thu, 20 Mar 2008 17:53:00 +0100 + +unzip (5.52-10) unstable; urgency=low + + * Fixed typo in unzipsfx(1). Thanks to Kevin Ryde. Closes: #419479. + + -- Santiago Vila <sanvila@debian.org> Mon, 2 Jul 2007 18:08:44 +0200 + +unzip (5.52-9) unstable; urgency=low + + * Added appropriate compiler flags for Large File Support (Closes: #192253). + This procedure is blessed by upstream in the FAQ, and as a result, + some .zip archives may now be uncompressed using Debian unzip. + For those which still may not, please test unzip 6.0 beta. + + -- Santiago Vila <sanvila@debian.org> Wed, 30 Aug 2006 10:34:24 +0200 + +unzip (5.52-8) unstable; urgency=low + + * Modified unix/unxcfg.h to always #include <unistd.h>. + This should now work on GNU/kFreeBSD (Closes: #340693). + + -- Santiago Vila <sanvila@debian.org> Tue, 25 Apr 2006 19:50:24 +0200 + +unzip (5.52-7) unstable; urgency=medium + + * Fixed buffer overflow when insanely long filenames are given on the + command line. Patch from Johnny Lee. Changed some format strings so + that they use 512 characters at most. The "right" fix will be in 5.53, + but this should work well enough for now. Closes: #349794. + * This is CVE-2005-4667. + + -- Santiago Vila <sanvila@debian.org> Thu, 16 Mar 2006 10:31:20 +0100 + +unzip (5.52-6) unstable; urgency=medium + + * Symlinks should work again (Closes: #343680). Fix provided by + Christian Spieler. Thanks to Carl W. Hoffman for the report. + + -- Santiago Vila <sanvila@debian.org> Tue, 20 Dec 2005 19:18:32 +0100 + +unzip (5.52-5) unstable; urgency=low + + * Fixed CAN-2005-2475 the same way it will be fixed in unzip 5.53. + Patch extracted from a prerelease provided by upstream. + * Changed unzip banner line to reflect the fact that this is + a "modified" release. Debian-derived distributions should probably + do the same if they deviate from the Debian version. + + -- Santiago Vila <sanvila@debian.org> Thu, 17 Nov 2005 16:34:24 +0100 + +unzip (5.52-4) unstable; urgency=medium + + * Fixed toctou vulnerability (Closes: #321927). Modified unix/unix.c + to use fchmod() and fchown() instead of chmod() and chown() to change + permissions and ownerships on the files actually created by unzip. + Patch from Dan Yefimov. CAN-2005-2475. + + -- Santiago Vila <sanvila@debian.org> Wed, 9 Nov 2005 18:05:02 +0100 + +unzip (5.52-3) unstable; urgency=low + + * Put manpages in section 1, not 1L. + * Fixed more typos (Closes: #309885). + + -- Santiago Vila <sanvila@debian.org> Wed, 25 May 2005 16:09:02 +0200 + +unzip (5.52-2) unstable; urgency=low + + * Fixed typos in manpage (Closes: #301915). + + -- Santiago Vila <sanvila@debian.org> Sun, 24 Apr 2005 19:27:02 +0200 + +unzip (5.52-1) unstable; urgency=low + + * New upstream release. + * Enabled new -W option via WILD_STOP_AT_DIR macro. + * Macro USE_UNSHRINK is no longer defined, as it's now the default. + + -- Santiago Vila <sanvila@debian.org> Tue, 1 Mar 2005 15:33:54 +0100 + +unzip (5.51-2) unstable; urgency=low + + * Added unshrinking support (Closes: #252563). + + -- Santiago Vila <sanvila@debian.org> Sun, 6 Jun 2004 17:57:46 +0200 + +unzip (5.51-1) unstable; urgency=low + + * New upstream release, improves error message when a zipfile is not + readable (Closes: #139331). + * Added a newline character to the CannotOpenZipfile string for the + previous fix to be really complete. + + -- Santiago Vila <sanvila@debian.org> Tue, 25 May 2004 14:38:26 +0200 + +unzip (5.50-4) unstable; urgency=low + + * Changed __GNU__ to __GLIBC__ in unix/unxcfg.h to support glibc-based + systems not being GNU itself, like GNU/KFreeBSD and GNU/KNetBSD. + + -- Santiago Vila <sanvila@debian.org> Sun, 16 Nov 2003 14:45:28 +0100 + +unzip (5.50-3) unstable; urgency=high + + * Fixed "unzip directory traversal revisited" again (Bug #206439). + There was still a missing case that the previous patch didn't catch. + Patch borrowed from unzip-5.50-33.src.rpm. + * For reference, this is (still) CAN-2003-0282. + + -- Santiago Vila <sanvila@debian.org> Wed, 20 Aug 2003 23:00:42 +0200 + +unzip (5.50-2) unstable; urgency=high + + * Fixed "unzip directory traversal revisited" problem (Bug #199648). + A filename containing ".somenonprintablechar." will not unpack + into .. anymore. Patch borrowed from unzip-5.50-11.src.rpm. + * For reference, this is CAN-2003-0282. + * No more doc symlinks. + + -- Santiago Vila <sanvila@debian.org> Mon, 7 Jul 2003 20:25:20 +0200 + +unzip (5.50-1) unstable; urgency=low + + * New upstream release. + * Moved from non-US/main to main. Section: utils. + + -- Santiago Vila <sanvila@debian.org> Sun, 24 Mar 2002 15:54:12 +0100 + +unzip (5.42-3) unstable; urgency=low + + * Added support for DEB_BUILD_OPTIONS. + + -- Santiago Vila <sanvila@debian.org> Sun, 11 Nov 2001 16:25:00 +0100 + +unzip (5.42-2) unstable; urgency=low + + * Applied a patch from Marcus Brinkmann: + - Closes: #99699: unzip does not build on the Hurd. + - Modified debian/rules to support cross-compilation. + + -- Santiago Vila <sanvila@debian.org> Wed, 6 Jun 2001 16:40:14 +0200 + +unzip (5.42-1) unstable; urgency=low + + * New upstream release. + * Changed to Section: non-US. + * Removed "packaged for Debian" from extended description. + + -- Santiago Vila <sanvila@debian.org> Thu, 10 May 2001 16:47:41 +0200 + +unzip (5.41-1) unstable; urgency=low + + * New upstream release, featuring a new BSD-like license and built-in + encryption support. Moved to non-US/main. + * Copyright file now generated from LICENSE file. + * Versioned Conflicts and Replaces. + * Standards-Version: 3.1.1 + + -- Santiago Vila <sanvila@debian.org> Fri, 18 Aug 2000 19:03:59 +0200 + +unzip (5.40-1) unstable; urgency=low + + * New upstream release. + * Removed `email-from-greg'. + * Fixed URL location in copyright file. + * Enabled -F option, as suggested by James Aylett. + + -- Santiago Vila <sanvila@ctv.es> Fri, 22 Oct 1999 10:30:49 +0200 + +unzip (5.32-1) unstable; urgency=low + + * New upstream release, using pristine source. + + -- Santiago Vila <sanvila@ctv.es> Tue, 4 Nov 1997 14:19:20 +0100 + +unzip (5.31-2) unstable; urgency=low + + * Removed debstd dependency. + + -- Santiago Vila <sanvila@ctv.es> Fri, 17 Oct 1997 17:22:22 +0200 + +unzip (5.31-1) unstable; urgency=low + + * `copyright' file is generated from COPYING automatically. + * Distribution unstable, Section non-free. + * Conflicts and Replaces "unzip-crypt". + * New upstream release. + * First libc6 release. + * Added md5sums. + + -- Santiago Vila <sanvila@ctv.es> Fri, 12 Sep 1997 19:16:59 +0200 + +unzip (5.20-3) unstable; urgency=low + + * Changed priority from `extra' to `optional'. + * Changed section from `misc' to `utils'. + * Simplified debian/rules a little bit. No debstd yet. + * Copied `History.520' as is. Added the symlink changelog -> History.520. + * Added ToDo and BUGS to /usr/doc/unzip. + * New maintainer. + + -- Santiago Vila <sanvila@ctv.es> Sun, 16 Feb 1997 19:29:13 +0100 + +unzip (5.20-2) unstable; urgency=low + + * zipgrep manpage is now installed through the unix/Makefile + * permissions guaranteed to be set properly for the zipgrep script + (did not work for those who compiled from the straight sources.) + * removed several superfluous commands from debian/rules. + * All changes this revision are courtesy of Santiago Vila. + + -- Stuart Lamble <lamble@yoyo.cc.monash.edu.au> Wed, 8 Jan 1997 18:48:00 +1100 + +unzip (5.20-1) unstable; urgency=low + + * new upstream version + * modified the copyright to include 5.2's COPYING, just in case it's changed. + * minor modifications to debian/rules + * added zipgrep (from the zip package). + + -- Stuart Lamble <lamble@yoyo.cc.monash.edu.au> Wed, 13 Nov 1996 19:35:24 +1100 + +unzip (5.12-15) unstable; urgency=low + + * received email from the upstream maintainers: unzip can now go into + the distribution proper. Yippee! :-) + * added the email in question to the copyright file. + + -- Stuart Lamble <lamble@yoyo.cc.monash.edu.au> Sat, 19 Oct 1996 18:34:21 +1000 + +unzip (5.12-14) non-free; urgency=low + + * moved to the 2.1.1.0 source format + * fixed a typo in the Maintainer field (missing the ">". Oops.) + + -- Stuart Lamble <lamble@yoyo.cc.monash.edu.au> Sun, 1 Sep 1996 07:36:16 +1000 + +unzip (5.12-13) non-free; urgency=low + + * new maintainer + * mods to make the "binary" rule portable to different platforms + * uses dpkg-name rather than manual moving + + -- Stuart Lamble <lamble@yoyo.cc.monash.edu.au> Tue, 30 Jul 1996 00:00:00 +0000 + +unzip (5.12-12) non-free; urgency=low + + * initial release (used 2 to avoid confusion with old unzip) + + -- Carl Streeter <streeter@cae.wisc.edu> Tue, 5 Sep 1995 00:00:00 +0000 |