unzip (6.0-28) unstable; urgency=medium
.
  * Drop debian/source/lintian-overrides, obsolete since version 6.0-18.
  * Update URI for Info-ZIP license in copyright file.
  * Update standards version to 4.6.2.
  * Run wrap-and-sort.
  * Update Homepage.

unzip (6.0-27) unstable; urgency=medium
.
  * Apply upstream patch for CVE-2022-0529 and CVE-2022-0530.
  - Fix null pointer dereference on invalid UTF-8 input.
  - Fix wide string conversion in process.c.
    Closes: #1010355.

unzip (6.0-26) unstable; urgency=medium
.
  * Two more patches from Mark Adler for CVE-2019-13232. Closes: #963996.
  - Fix bug in UZbunzip2() that incorrectly updated G.incnt.
  - Fix bug in UZinflate() that incorrectly updated G.incnt.
  * Avoid weird zipgrep errors when no members are present.
    Thanks to Kevin Locke. Closes: #972233.
  * Update dependency on debhelper.

unzip (6.0-25) unstable; urgency=medium
.
  * Apply one more patch by Mark Adler:
  - Do not raise a zip bomb alert for a misplaced central directory.
    This should allow Firefox to build again. Closes: #932404.
    Reported by Peter Green. Hopefully CVE-2019-13232 is fixed now.

unzip (6.0-24) unstable; urgency=medium
.
  * Apply two patches by Mark Adler:
  - Fix bug in undefer_input() that misplaced the input state.
  - Detect and reject a zip bomb using overlapped entries. Closes: #931433.
    Bug discovered by David Fifield. For reference, this is CVE-2019-13232.

unzip (6.0-23) unstable; urgency=medium
.
  * Fix lame code in fileio.c which parsed 64-bit values incorrectly.
    Thanks to David Fifield for the report. Closes: #929502.

unzip (6.0-22) unstable; urgency=medium
.
  * Fix buffer overflow in password protected ZIP archives. Closes: #889838.
    Patch borrowed from SUSE. For reference, this is CVE-2018-1000035.
  * Rules-Requires-Root: no.

unzip (6.0-21) unstable; urgency=medium
.
  * Rename all debian/patches/* to have .patch ending.
  * Update 12-cve-2014-9636-test-compr-eb.patch to follow revised
    patch "unzip-6.0_overflow3.diff" from mancha (patch author).
    Update also to follow upstream coding style.
  * Drop workaround for gcc optimization bug on ARM (GCC Bug #764732)
    in the hope that it's not present anymore in GCC-6.
  * Allow source to be cross-built. Closes: #836051.
  * Do not ignore Unix Timestamps. Closes: #842993. Patch by the author.
  * Fix CVE-2014-9913, buffer overflow in unzip. Closes: #847485.
    Patch by the author.
  * Fix CVE-2016-9844, buffer overflow in zipinfo. Closes: #847486.
    Patch by the author.

unzip (6.0-20) unstable; urgency=high
.
  * Update debian/patches/16-fix-integer-underflow-csiz-decrypted to fix
    regression on encrypted 0-byte files. Closes: #804595.
    Thanks to Marc Deslauriers for the fix in Ubuntu.

unzip (6.0-19) unstable; urgency=medium
.
  * Fix infinite loop when extracting password-protected archive.
    This is CVE-2015-7697. Closes: #802160.
  * Fix heap overflow when extracting password-protected archive.
    This is CVE-2015-7696. Closes: #802162.
  * Fix additional unsigned overflow on invalid input.
  * Thanks a lot to Raphaël Hertzog for the squeeze-lts release,
    from which this upload is mainly derived.

unzip (6.0-18) unstable; urgency=medium
.
  * Ship a debian/copyright file in source package instead of generating
    it a build time. Closes: #795567.

unzip (6.0-17) unstable; urgency=medium
.
  * Switch to dh.
  * Remove build date embedded in binary to make the build reproducible.
    Thanks to Jérémy Bobbio <lunar@debian.org>. Closes: #782851.

unzip (6.0-16) unstable; urgency=medium
.
  * Update 09-cve-2014-8139-crc-overflow to fix CVE-2014-8139
    the right way (patch by the author). Closes: #775640.
  * Update 10-cve-2014-8140-test-compr-eb to apply cleanly.
  * Update 12-cve-2014-9636-test-compr-eb to follow the extract.c
    file from the author.

unzip (6.0-15) unstable; urgency=medium
.
  * Fix heap overflow. Ensure that compressed and uncompressed
    block sizes match when using STORED method in extract.c.
    Patch taken from Ubuntu. Thanks a lot. Closes: #776589.
    For reference, this is CVE-2014-9636.

unzip (6.0-14) unstable; urgency=medium
.
  * Drop -O2 optimization on armhf as a workaround for gcc Bug #764732.
    Closes: #773785.

unzip (6.0-13) unstable; urgency=medium
.
  * Apply upstream fix for three security bugs. Closes: #773722.
    CVE-2014-8139: CRC32 verification heap-based overflow
    CVE-2014-8140: out-of-bounds write issue in test_compr_eb()
    CVE-2014-8141: out-of-bounds read issues in getZip64Data()

unzip (6.0-12) unstable; urgency=medium
.
  * Fix zipinfo crash where a value <= 25.5 was printed in a buffer
    having room only for values < 10.0. The integral part is now printed
    at attribs[11] using %2u instead of attribs[12] using %u.
    This way the output is the same as before for values < 10.
    Authors tell me that the next unzip release will have a fix
    like this, at least for the Unix case. Closes: #744212.

unzip (6.0-11) unstable; urgency=medium
.
  * Lowered mime priority to 3, somewhat below 5 which is file-roller
    default value. Closes: #727306.
  * Increase size of cfactorstr array in list.c to avoid a buffer
    overflow problem. Closes: #741384.

unzip (6.0-10) unstable; urgency=low
.
  * Fixed bug "unzip thinks some files are symlinks". Closes: #717029.
    Reported by Jeff King. Patch by Andreas Schwab.
  * Added recommended targets build-arch and build-indep.
  * Dropped obsolete Conflicts and Replaces on unzip-crypt, for which
    the last version was a dummy transitional package.
  * The copyright file is generated from copyright.in at build time.
    Added lintian override for no-debian-copyright.

unzip (6.0-9) unstable; urgency=low
.
  * Added NO_WORKING_ISPRINT to DEFINES so that UTF8 filenames are
    displayed correctly. Reported by Slavek Banko. Closes: #682682.
  * Use the right strip command when cross-building. Closes: #695141.

unzip (6.0-8) unstable; urgency=low
.
  * Made unzip -X to actually restore uid/gid information.
    Closes: #689212. Thanks to Axel Scheepers for the report.
  * Disabled memcpy, as it is being used on overlapping buffers,
    leading to data corruption. Closes: #694601.
    Thanks to M Joonas Pihlaja for the report.

unzip (6.0-7) unstable; urgency=low
.
  * Added Multi-Arch: foreign. Closes: #678812.

unzip (6.0-6) unstable; urgency=low
.
  * Added hardening flags. Closes: #656268.

unzip (6.0-5) unstable; urgency=low
.
  * Handle the PKWare verification bit of internal attributes.
    Patch taken from 6.10 beta. Thanks to sms. Closes: #630078.

unzip (6.0-4) unstable; urgency=low
.
  * Added homepage field to control file.
  * Switch to 3.0 (quilt) source format.
  * Support cross-build.

unzip (6.0-3) unstable; urgency=low
.
  * Added "set -e" to postinst and postrm.

unzip (6.0-2) unstable; urgency=low
.
  * Do not ignore errors from make clean (lintian warning)
  * Remove .comment section from executables (lintian warning).
  * Added mime stuff so that mutt is able to see the contents of a zipfile
    using "unzip -l". Closes: #474538.

unzip (6.0-1) unstable; urgency=low
.
  * New upstream release. Closes: #496989.
  * Enabled new Unicode support. Closes: #197427. This may or may not work
    for your already created zipfiles, but it's not a bug unless they were
    created using the Unicode feature present in zip 3.0.
  * Built using DATE_FORMAT=DF_YMD so that unzip -l show dates in ISO format,
    as that's the only available one which makes sense. Closes: #312886.
  * Enabled new bzip2 support. Closes: #426798.
  * Exit code for zipgrep should now be the right one. Closes: #441997.
  * The reason why a file may not be created is now shown. Closes: #478791.
  * Summary of changes in this version not being the debian/* files:
  - Manpages in section 1, not 1L.
  - Branding patch. UnZip by Debian. Original by Info-ZIP.
  - Always #include <unistd.h>. Debian GNU/kFreeBSD needs it.
.
unzip (5.52-12) unstable; urgency=medium
.
  * Fixed stack underflow in unshrink.c. Closes: #454037.
    Thanks to Christian Spieler for the patch.
.
unzip (5.52-11) unstable; urgency=high
.
  * Apply patch from Tavis Ormandy to address invalid free() calls in
    the inflate_dynamic() function (CVE-2008-0888).
.
unzip (5.52-10) unstable; urgency=low
.
  * Fixed typo in unzipsfx(1). Thanks to Kevin Ryde. Closes: #419479.
.
unzip (5.52-9) unstable; urgency=low
.
  * Added appropriate compiler flags for Large File Support (Closes: #192253).
    This procedure is blessed by upstream in the FAQ, and as a result,
    some .zip archives may now be uncompressed using Debian unzip.
    For those which still may not, please test unzip 6.0 beta.
.
unzip (5.52-8) unstable; urgency=low
.
  * Modified unix/unxcfg.h to always #include <unistd.h>.
    This should now work on GNU/kFreeBSD (Closes: #340693).
.
unzip (5.52-7) unstable; urgency=medium
.
  * Fixed buffer overflow when insanely long filenames are given on the
    command line. Patch from Johnny Lee. Changed some format strings so
    that they use 512 characters at most. The "right" fix will be in 5.53,
    but this should work well enough for now. Closes: #349794.
  * This is CVE-2005-4667.
.
unzip (5.52-6) unstable; urgency=medium
.
  * Symlinks should work again (Closes: #343680). Fix provided by
    Christian Spieler. Thanks to Carl W. Hoffman for the report.
.
unzip (5.52-5) unstable; urgency=low
.
  * Fixed CAN-2005-2475 the same way it will be fixed in unzip 5.53.
    Patch extracted from a prerelease provided by upstream.
  * Changed unzip banner line to reflect the fact that this is
    a "modified" release. Debian-derived distributions should probably
    do the same if they deviate from the Debian version.
.
unzip (5.52-4) unstable; urgency=medium
.
  * Fixed toctou vulnerability (Closes: #321927). Modified unix/unix.c
    to use fchmod() and fchown() instead of chmod() and chown() to change
    permissions and ownerships on the files actually created by unzip.
    Patch from Dan Yefimov. CAN-2005-2475.
.
unzip (5.52-3) unstable; urgency=low
.
  * Put manpages in section 1, not 1L.
  * Fixed more typos (Closes: #309885).
.
unzip (5.52-2) unstable; urgency=low
.
  * Fixed typos in manpage (Closes: #301915).
.
unzip (5.52-1) unstable; urgency=low
.
  * New upstream release.
  * Enabled new -W option via WILD_STOP_AT_DIR macro.
  * Macro USE_UNSHRINK is no longer defined, as it's now the default.
.
unzip (5.51-2) unstable; urgency=low
.
  * Added unshrinking support (Closes: #252563).
.
unzip (5.51-1) unstable; urgency=low
.
  * New upstream release, improves error message when a zipfile is not
    readable (Closes: #139331).
  * Added a newline character to the CannotOpenZipfile string for the
    previous fix to be really complete.
.
unzip (5.50-4) unstable; urgency=low
.
  * Changed __GNU__ to __GLIBC__ in unix/unxcfg.h to support glibc-based
    systems not being GNU itself, like GNU/KFreeBSD and GNU/KNetBSD.
.
unzip (5.50-3) unstable; urgency=high
.
  * Fixed "unzip directory traversal revisited" again (Bug #206439).
    There was still a missing case that the previous patch didn't catch.
    Patch borrowed from unzip-5.50-33.src.rpm.
  * For reference, this is (still) CAN-2003-0282.
.
unzip (5.50-2) unstable; urgency=high
.
  * Fixed "unzip directory traversal revisited" problem (Bug #199648).
    A filename containing ".somenonprintablechar." will not unpack
    into .. anymore. Patch borrowed from unzip-5.50-11.src.rpm.
  * For reference, this is CAN-2003-0282.
  * No more doc symlinks.
.
unzip (5.50-1) unstable; urgency=low
.
  * New upstream release.
  * Moved from non-US/main to main. Section: utils.
.
unzip (5.42-3) unstable; urgency=low
.
  * Added support for DEB_BUILD_OPTIONS.
.
unzip (5.42-2) unstable; urgency=low
.
  * Applied a patch from Marcus Brinkmann:
  - Closes: #99699: unzip does not build on the Hurd.
  - Modified debian/rules to support cross-compilation.
.
unzip (5.42-1) unstable; urgency=low
.
  * New upstream release.
  * Changed to Section: non-US.
  * Removed "packaged for Debian" from extended description.
.
unzip (5.41-1) unstable; urgency=low
.
  * New upstream release, featuring a new BSD-like license and built-in
    encryption support. Moved to non-US/main.
  * Copyright file now generated from LICENSE file.
  * Versioned Conflicts and Replaces.
  * Standards-Version: 3.1.1
.
unzip (5.40-1) unstable; urgency=low
.
  * New upstream release.
  * Removed `email-from-greg'.
  * Fixed URL location in copyright file.
  * Enabled -F option, as suggested by James Aylett.
.
unzip (5.32-1) unstable; urgency=low
.
  * New upstream release, using pristine source.
.
unzip (5.31-2) unstable; urgency=low
.
  * Removed debstd dependency.
.
unzip (5.31-1) unstable; urgency=low
.
  * `copyright' file is generated from COPYING automatically.
  * Distribution unstable, Section non-free.
  * Conflicts and Replaces "unzip-crypt".
  * New upstream release.
  * First libc6 release.
  * Added md5sums.
.
unzip (5.20-3) unstable; urgency=low
.
  * Changed priority from `extra' to `optional'.
  * Changed section from `misc' to `utils'.
  * Simplified debian/rules a little bit. No debstd yet.
  * Copied `History.520' as is. Added the symlink changelog -> History.520.
  * Added ToDo and BUGS to /usr/doc/unzip.
  * New maintainer.
.
unzip (5.20-2) unstable; urgency=low
.
  * zipgrep manpage is now installed through the unix/Makefile
  * permissions guaranteed to be set properly for the zipgrep script
    (did not work for those who compiled from the straight sources.)
  * removed several superfluous commands from debian/rules.
  * All changes this revision are courtesy of Santiago Vila.
.
unzip (5.20-1) unstable; urgency=low
.
  * new upstream version
  * modified the copyright to include 5.2's COPYING, just in case it's changed.
  * minor modifications to debian/rules
  * added zipgrep (from the zip package).
.
unzip (5.12-15) unstable; urgency=low
.
  * received email from the upstream maintainers: unzip can now go into
    the distribution proper. Yippee! :-)
  * added the email in question to the copyright file.
.
unzip (5.12-14) non-free; urgency=low
.
  * moved to the 2.1.1.0 source format
  * fixed a typo in the Maintainer field (missing the ">". Oops.)
.
unzip (5.12-13) non-free; urgency=low
.
  * new maintainer
  * mods to make the "binary" rule portable to different platforms
  * uses dpkg-name rather than manual moving
.
unzip (5.12-12) non-free; urgency=low
.
  * initial release (used 2 to avoid confusion with old unzip)