summaryrefslogtreecommitdiff
path: root/data/unzip/debian/changelog
diff options
context:
space:
mode:
Diffstat (limited to 'data/unzip/debian/changelog')
-rw-r--r--data/unzip/debian/changelog467
1 files changed, 467 insertions, 0 deletions
diff --git a/data/unzip/debian/changelog b/data/unzip/debian/changelog
new file mode 100644
index 000000000..1100fa175
--- /dev/null
+++ b/data/unzip/debian/changelog
@@ -0,0 +1,467 @@
+unzip (6.0-21+deb9u1) stretch; urgency=medium
+
+ * Fix buffer overflow in password protected ZIP archives. Closes: #889838.
+ Patch borrowed from SUSE. For reference, this is CVE-2018-1000035.
+
+ -- Santiago Vila <sanvila@debian.org> Wed, 17 Apr 2019 21:23:40 +0200
+
+unzip (6.0-21) unstable; urgency=medium
+
+ * Rename all debian/patches/* to have .patch ending.
+ * Update 12-cve-2014-9636-test-compr-eb.patch to follow revised
+ patch "unzip-6.0_overflow3.diff" from mancha (patch author).
+ Update also to follow upstream coding style.
+ * Drop workaround for gcc optimization bug on ARM (GCC Bug #764732)
+ in the hope that it's not present anymore in GCC-6.
+ * Allow source to be cross-built. Closes: #836051.
+ * Do not ignore Unix Timestamps. Closes: #842993. Patch by the author.
+ * Fix CVE-2014-9913, buffer overflow in unzip. Closes: #847485.
+ Patch by the author.
+ * Fix CVE-2016-9844, buffer overflow in zipinfo. Closes: #847486.
+ Patch by the author.
+
+ -- Santiago Vila <sanvila@debian.org> Sun, 11 Dec 2016 21:03:30 +0100
+
+unzip (6.0-20) unstable; urgency=high
+
+ * Update debian/patches/16-fix-integer-underflow-csiz-decrypted to fix
+ regression on encrypted 0-byte files. Closes: #804595.
+ Thanks to Marc Deslauriers for the fix in Ubuntu.
+
+ -- Santiago Vila <sanvila@debian.org> Mon, 09 Nov 2015 22:15:32 +0100
+
+unzip (6.0-19) unstable; urgency=medium
+
+ * Fix infinite loop when extracting password-protected archive.
+ This is CVE-2015-7697. Closes: #802160.
+ * Fix heap overflow when extracting password-protected archive.
+ This is CVE-2015-7696. Closes: #802162.
+ * Fix additional unsigned overflow on invalid input.
+ * Thanks a lot to Raphaël Hertzog for the squeeze-lts release,
+ from which this upload is mainly derived.
+
+ -- Santiago Vila <sanvila@debian.org> Thu, 22 Oct 2015 12:12:46 +0200
+
+unzip (6.0-18) unstable; urgency=medium
+
+ * Ship a debian/copyright file in source package instead of generating
+ it a build time. Closes: #795567.
+
+ -- Santiago Vila <sanvila@debian.org> Sun, 16 Aug 2015 23:34:42 +0200
+
+unzip (6.0-17) unstable; urgency=medium
+
+ * Switch to dh.
+ * Remove build date embedded in binary to make the build reproducible.
+ Thanks to Jérémy Bobbio <lunar@debian.org>. Closes: #782851.
+
+ -- Santiago Vila <sanvila@debian.org> Sun, 17 May 2015 12:41:52 +0200
+
+unzip (6.0-16) unstable; urgency=medium
+
+ * Update 09-cve-2014-8139-crc-overflow to fix CVE-2014-8139
+ the right way (patch by the author). Closes: #775640.
+ * Update 10-cve-2014-8140-test-compr-eb to apply cleanly.
+ * Update 12-cve-2014-9636-test-compr-eb to follow the extract.c
+ file from the author.
+
+ -- Santiago Vila <sanvila@debian.org> Fri, 30 Jan 2015 22:16:08 +0100
+
+unzip (6.0-15) unstable; urgency=medium
+
+ * Fix heap overflow. Ensure that compressed and uncompressed
+ block sizes match when using STORED method in extract.c.
+ Patch taken from Ubuntu. Thanks a lot. Closes: #776589.
+ For reference, this is CVE-2014-9636.
+
+ -- Santiago Vila <sanvila@debian.org> Thu, 29 Jan 2015 18:39:52 +0100
+
+unzip (6.0-14) unstable; urgency=medium
+
+ * Drop -O2 optimization on armhf as a workaround for gcc Bug #764732.
+ Closes: #773785.
+
+ -- Santiago Vila <sanvila@debian.org> Tue, 30 Dec 2014 22:17:12 +0100
+
+unzip (6.0-13) unstable; urgency=medium
+
+ * Apply upstream fix for three security bugs. Closes: #773722.
+ CVE-2014-8139: CRC32 verification heap-based overflow
+ CVE-2014-8140: out-of-bounds write issue in test_compr_eb()
+ CVE-2014-8141: out-of-bounds read issues in getZip64Data()
+
+ -- Santiago Vila <sanvila@debian.org> Mon, 22 Dec 2014 19:16:10 +0100
+
+unzip (6.0-12) unstable; urgency=medium
+
+ * Fix zipinfo crash where a value <= 25.5 was printed in a buffer
+ having room only for values < 10.0. The integral part is now printed
+ at attribs[11] using %2u instead of attribs[12] using %u.
+ This way the output is the same as before for values < 10.
+ Authors tell me that the next unzip release will have a fix
+ like this, at least for the Unix case. Closes: #744212.
+
+ -- Santiago Vila <sanvila@debian.org> Thu, 24 Apr 2014 23:39:38 +0200
+
+unzip (6.0-11) unstable; urgency=medium
+
+ * Lowered mime priority to 3, somewhat below 5 which is file-roller
+ default value. Closes: #727306.
+ * Increase size of cfactorstr array in list.c to avoid a buffer
+ overflow problem. Closes: #741384.
+
+ -- Santiago Vila <sanvila@debian.org> Mon, 17 Mar 2014 17:38:50 +0100
+
+unzip (6.0-10) unstable; urgency=low
+
+ * Fixed bug "unzip thinks some files are symlinks". Closes: #717029.
+ Reported by Jeff King. Patch by Andreas Schwab.
+ * Added recommended targets build-arch and build-indep.
+ * Dropped obsolete Conflicts and Replaces on unzip-crypt, for which
+ the last version was a dummy transitional package.
+ * The copyright file is generated from copyright.in at build time.
+ Added lintian override for no-debian-copyright.
+
+ -- Santiago Vila <sanvila@debian.org> Mon, 14 Oct 2013 18:48:40 +0200
+
+unzip (6.0-9) unstable; urgency=low
+
+ * Added NO_WORKING_ISPRINT to DEFINES so that UTF8 filenames are
+ displayed correctly. Reported by Slavek Banko. Closes: #682682.
+ * Use the right strip command when cross-building. Closes: #695141.
+
+ -- Santiago Vila <sanvila@debian.org> Sun, 24 Feb 2013 17:12:00 +0100
+
+unzip (6.0-8) unstable; urgency=low
+
+ * Made unzip -X to actually restore uid/gid information.
+ Closes: #689212. Thanks to Axel Scheepers for the report.
+ * Disabled memcpy, as it is being used on overlapping buffers,
+ leading to data corruption. Closes: #694601.
+ Thanks to M Joonas Pihlaja for the report.
+
+ -- Santiago Vila <sanvila@debian.org> Wed, 28 Nov 2012 12:41:34 +0100
+
+unzip (6.0-7) unstable; urgency=low
+
+ * Added Multi-Arch: foreign. Closes: #678812.
+
+ -- Santiago Vila <sanvila@debian.org> Sat, 30 Jun 2012 14:17:42 +0200
+
+unzip (6.0-6) unstable; urgency=low
+
+ * Added hardening flags. Closes: #656268.
+
+ -- Santiago Vila <sanvila@debian.org> Sun, 01 Apr 2012 00:01:40 +0200
+
+unzip (6.0-5) unstable; urgency=low
+
+ * Handle the PKWare verification bit of internal attributes.
+ Patch taken from 6.10 beta. Thanks to sms. Closes: #630078.
+
+ -- Santiago Vila <sanvila@debian.org> Fri, 01 Jul 2011 19:06:08 +0200
+
+unzip (6.0-4) unstable; urgency=low
+
+ * Added homepage field to control file.
+ * Switch to 3.0 (quilt) source format.
+ * Support cross-build.
+
+ -- Santiago Vila <sanvila@debian.org> Sun, 21 Feb 2010 17:01:00 +0100
+
+unzip (6.0-3) unstable; urgency=low
+
+ * Added "set -e" to postinst and postrm.
+
+ -- Santiago Vila <sanvila@debian.org> Tue, 09 Feb 2010 23:53:42 +0100
+
+unzip (6.0-2) unstable; urgency=low
+
+ * Do not ignore errors from make clean (lintian warning)
+ * Remove .comment section from executables (lintian warning).
+ * Added mime stuff so that mutt is able to see the contents of a zipfile
+ using "unzip -l". Closes: #474538.
+
+ -- Santiago Vila <sanvila@debian.org> Mon, 08 Feb 2010 18:44:00 +0100
+
+unzip (6.0-1) unstable; urgency=low
+
+ * New upstream release. Closes: #496989.
+ * Enabled new Unicode support. Closes: #197427. This may or may not work
+ for your already created zipfiles, but it's not a bug unless they were
+ created using the Unicode feature present in zip 3.0.
+ * Built using DATE_FORMAT=DF_YMD so that unzip -l show dates in ISO format,
+ as that's the only available one which makes sense. Closes: #312886.
+ * Enabled new bzip2 support. Closes: #426798.
+ * Exit code for zipgrep should now be the right one. Closes: #441997.
+ * The reason why a file may not be created is now shown. Closes: #478791.
+ * Summary of changes in this version not being the debian/* files:
+ - Manpages in section 1, not 1L.
+ - Branding patch. UnZip by Debian. Original by Info-ZIP.
+ - Always #include <unistd.h>. Debian GNU/kFreeBSD needs it.
+
+ -- Santiago Vila <sanvila@debian.org> Fri, 08 May 2009 20:02:40 +0200
+
+unzip (5.52-12) unstable; urgency=medium
+
+ * Fixed stack underflow in unshrink.c. Closes: #454037.
+ Thanks to Christian Spieler for the patch.
+
+ -- Santiago Vila <sanvila@debian.org> Sat, 26 Jul 2008 16:51:38 +0200
+
+unzip (5.52-11) unstable; urgency=high
+
+ * Apply patch from Tavis Ormandy to address invalid free() calls in
+ the inflate_dynamic() function (CVE-2008-0888).
+
+ -- Santiago Vila <sanvila@debian.org> Thu, 20 Mar 2008 17:53:00 +0100
+
+unzip (5.52-10) unstable; urgency=low
+
+ * Fixed typo in unzipsfx(1). Thanks to Kevin Ryde. Closes: #419479.
+
+ -- Santiago Vila <sanvila@debian.org> Mon, 2 Jul 2007 18:08:44 +0200
+
+unzip (5.52-9) unstable; urgency=low
+
+ * Added appropriate compiler flags for Large File Support (Closes: #192253).
+ This procedure is blessed by upstream in the FAQ, and as a result,
+ some .zip archives may now be uncompressed using Debian unzip.
+ For those which still may not, please test unzip 6.0 beta.
+
+ -- Santiago Vila <sanvila@debian.org> Wed, 30 Aug 2006 10:34:24 +0200
+
+unzip (5.52-8) unstable; urgency=low
+
+ * Modified unix/unxcfg.h to always #include <unistd.h>.
+ This should now work on GNU/kFreeBSD (Closes: #340693).
+
+ -- Santiago Vila <sanvila@debian.org> Tue, 25 Apr 2006 19:50:24 +0200
+
+unzip (5.52-7) unstable; urgency=medium
+
+ * Fixed buffer overflow when insanely long filenames are given on the
+ command line. Patch from Johnny Lee. Changed some format strings so
+ that they use 512 characters at most. The "right" fix will be in 5.53,
+ but this should work well enough for now. Closes: #349794.
+ * This is CVE-2005-4667.
+
+ -- Santiago Vila <sanvila@debian.org> Thu, 16 Mar 2006 10:31:20 +0100
+
+unzip (5.52-6) unstable; urgency=medium
+
+ * Symlinks should work again (Closes: #343680). Fix provided by
+ Christian Spieler. Thanks to Carl W. Hoffman for the report.
+
+ -- Santiago Vila <sanvila@debian.org> Tue, 20 Dec 2005 19:18:32 +0100
+
+unzip (5.52-5) unstable; urgency=low
+
+ * Fixed CAN-2005-2475 the same way it will be fixed in unzip 5.53.
+ Patch extracted from a prerelease provided by upstream.
+ * Changed unzip banner line to reflect the fact that this is
+ a "modified" release. Debian-derived distributions should probably
+ do the same if they deviate from the Debian version.
+
+ -- Santiago Vila <sanvila@debian.org> Thu, 17 Nov 2005 16:34:24 +0100
+
+unzip (5.52-4) unstable; urgency=medium
+
+ * Fixed toctou vulnerability (Closes: #321927). Modified unix/unix.c
+ to use fchmod() and fchown() instead of chmod() and chown() to change
+ permissions and ownerships on the files actually created by unzip.
+ Patch from Dan Yefimov. CAN-2005-2475.
+
+ -- Santiago Vila <sanvila@debian.org> Wed, 9 Nov 2005 18:05:02 +0100
+
+unzip (5.52-3) unstable; urgency=low
+
+ * Put manpages in section 1, not 1L.
+ * Fixed more typos (Closes: #309885).
+
+ -- Santiago Vila <sanvila@debian.org> Wed, 25 May 2005 16:09:02 +0200
+
+unzip (5.52-2) unstable; urgency=low
+
+ * Fixed typos in manpage (Closes: #301915).
+
+ -- Santiago Vila <sanvila@debian.org> Sun, 24 Apr 2005 19:27:02 +0200
+
+unzip (5.52-1) unstable; urgency=low
+
+ * New upstream release.
+ * Enabled new -W option via WILD_STOP_AT_DIR macro.
+ * Macro USE_UNSHRINK is no longer defined, as it's now the default.
+
+ -- Santiago Vila <sanvila@debian.org> Tue, 1 Mar 2005 15:33:54 +0100
+
+unzip (5.51-2) unstable; urgency=low
+
+ * Added unshrinking support (Closes: #252563).
+
+ -- Santiago Vila <sanvila@debian.org> Sun, 6 Jun 2004 17:57:46 +0200
+
+unzip (5.51-1) unstable; urgency=low
+
+ * New upstream release, improves error message when a zipfile is not
+ readable (Closes: #139331).
+ * Added a newline character to the CannotOpenZipfile string for the
+ previous fix to be really complete.
+
+ -- Santiago Vila <sanvila@debian.org> Tue, 25 May 2004 14:38:26 +0200
+
+unzip (5.50-4) unstable; urgency=low
+
+ * Changed __GNU__ to __GLIBC__ in unix/unxcfg.h to support glibc-based
+ systems not being GNU itself, like GNU/KFreeBSD and GNU/KNetBSD.
+
+ -- Santiago Vila <sanvila@debian.org> Sun, 16 Nov 2003 14:45:28 +0100
+
+unzip (5.50-3) unstable; urgency=high
+
+ * Fixed "unzip directory traversal revisited" again (Bug #206439).
+ There was still a missing case that the previous patch didn't catch.
+ Patch borrowed from unzip-5.50-33.src.rpm.
+ * For reference, this is (still) CAN-2003-0282.
+
+ -- Santiago Vila <sanvila@debian.org> Wed, 20 Aug 2003 23:00:42 +0200
+
+unzip (5.50-2) unstable; urgency=high
+
+ * Fixed "unzip directory traversal revisited" problem (Bug #199648).
+ A filename containing ".somenonprintablechar." will not unpack
+ into .. anymore. Patch borrowed from unzip-5.50-11.src.rpm.
+ * For reference, this is CAN-2003-0282.
+ * No more doc symlinks.
+
+ -- Santiago Vila <sanvila@debian.org> Mon, 7 Jul 2003 20:25:20 +0200
+
+unzip (5.50-1) unstable; urgency=low
+
+ * New upstream release.
+ * Moved from non-US/main to main. Section: utils.
+
+ -- Santiago Vila <sanvila@debian.org> Sun, 24 Mar 2002 15:54:12 +0100
+
+unzip (5.42-3) unstable; urgency=low
+
+ * Added support for DEB_BUILD_OPTIONS.
+
+ -- Santiago Vila <sanvila@debian.org> Sun, 11 Nov 2001 16:25:00 +0100
+
+unzip (5.42-2) unstable; urgency=low
+
+ * Applied a patch from Marcus Brinkmann:
+ - Closes: #99699: unzip does not build on the Hurd.
+ - Modified debian/rules to support cross-compilation.
+
+ -- Santiago Vila <sanvila@debian.org> Wed, 6 Jun 2001 16:40:14 +0200
+
+unzip (5.42-1) unstable; urgency=low
+
+ * New upstream release.
+ * Changed to Section: non-US.
+ * Removed "packaged for Debian" from extended description.
+
+ -- Santiago Vila <sanvila@debian.org> Thu, 10 May 2001 16:47:41 +0200
+
+unzip (5.41-1) unstable; urgency=low
+
+ * New upstream release, featuring a new BSD-like license and built-in
+ encryption support. Moved to non-US/main.
+ * Copyright file now generated from LICENSE file.
+ * Versioned Conflicts and Replaces.
+ * Standards-Version: 3.1.1
+
+ -- Santiago Vila <sanvila@debian.org> Fri, 18 Aug 2000 19:03:59 +0200
+
+unzip (5.40-1) unstable; urgency=low
+
+ * New upstream release.
+ * Removed `email-from-greg'.
+ * Fixed URL location in copyright file.
+ * Enabled -F option, as suggested by James Aylett.
+
+ -- Santiago Vila <sanvila@ctv.es> Fri, 22 Oct 1999 10:30:49 +0200
+
+unzip (5.32-1) unstable; urgency=low
+
+ * New upstream release, using pristine source.
+
+ -- Santiago Vila <sanvila@ctv.es> Tue, 4 Nov 1997 14:19:20 +0100
+
+unzip (5.31-2) unstable; urgency=low
+
+ * Removed debstd dependency.
+
+ -- Santiago Vila <sanvila@ctv.es> Fri, 17 Oct 1997 17:22:22 +0200
+
+unzip (5.31-1) unstable; urgency=low
+
+ * `copyright' file is generated from COPYING automatically.
+ * Distribution unstable, Section non-free.
+ * Conflicts and Replaces "unzip-crypt".
+ * New upstream release.
+ * First libc6 release.
+ * Added md5sums.
+
+ -- Santiago Vila <sanvila@ctv.es> Fri, 12 Sep 1997 19:16:59 +0200
+
+unzip (5.20-3) unstable; urgency=low
+
+ * Changed priority from `extra' to `optional'.
+ * Changed section from `misc' to `utils'.
+ * Simplified debian/rules a little bit. No debstd yet.
+ * Copied `History.520' as is. Added the symlink changelog -> History.520.
+ * Added ToDo and BUGS to /usr/doc/unzip.
+ * New maintainer.
+
+ -- Santiago Vila <sanvila@ctv.es> Sun, 16 Feb 1997 19:29:13 +0100
+
+unzip (5.20-2) unstable; urgency=low
+
+ * zipgrep manpage is now installed through the unix/Makefile
+ * permissions guaranteed to be set properly for the zipgrep script
+ (did not work for those who compiled from the straight sources.)
+ * removed several superfluous commands from debian/rules.
+ * All changes this revision are courtesy of Santiago Vila.
+
+ -- Stuart Lamble <lamble@yoyo.cc.monash.edu.au> Wed, 8 Jan 1997 18:48:00 +1100
+
+unzip (5.20-1) unstable; urgency=low
+
+ * new upstream version
+ * modified the copyright to include 5.2's COPYING, just in case it's changed.
+ * minor modifications to debian/rules
+ * added zipgrep (from the zip package).
+
+ -- Stuart Lamble <lamble@yoyo.cc.monash.edu.au> Wed, 13 Nov 1996 19:35:24 +1100
+
+unzip (5.12-15) unstable; urgency=low
+
+ * received email from the upstream maintainers: unzip can now go into
+ the distribution proper. Yippee! :-)
+ * added the email in question to the copyright file.
+
+ -- Stuart Lamble <lamble@yoyo.cc.monash.edu.au> Sat, 19 Oct 1996 18:34:21 +1000
+
+unzip (5.12-14) non-free; urgency=low
+
+ * moved to the 2.1.1.0 source format
+ * fixed a typo in the Maintainer field (missing the ">". Oops.)
+
+ -- Stuart Lamble <lamble@yoyo.cc.monash.edu.au> Sun, 1 Sep 1996 07:36:16 +1000
+
+unzip (5.12-13) non-free; urgency=low
+
+ * new maintainer
+ * mods to make the "binary" rule portable to different platforms
+ * uses dpkg-name rather than manual moving
+
+ -- Stuart Lamble <lamble@yoyo.cc.monash.edu.au> Tue, 30 Jul 1996 00:00:00 +0000
+
+unzip (5.12-12) non-free; urgency=low
+
+ * initial release (used 2 to avoid confusion with old unzip)
+
+ -- Carl Streeter <streeter@cae.wisc.edu> Tue, 5 Sep 1995 00:00:00 +0000