This is the mail archive of the
cygwin-apps
mailing list for the Cygwin project.
FYI: un/zip update available
- From: "Buchbinder, Barry \(NIH/NIAID\) [E]" <BBuchbinder at niaid dot nih dot gov>
- To: <cygwin-apps at cygwin dot com>
- Date: Mon, 28 Aug 2006 22:28:55 -0400
- Subject: FYI: un/zip update available
I do not meaning to bug the maintainer, request an update, or imply that
the maintainer is not paying attention to the canonical site, but in
case the maintainer just hasn't noticed ...
<http://www.info-zip.org/>:
- "Zip 2.32 was released on 20 June 2006."
<http://www.info-zip.org/Zip.html>: "All known vulnerabilities are
fixed in Zip 2.32." "Zip 2.3 and (presumably) all previous versions
have a buffer-overrun vulnerability relating to deep directory paths
that could potentially lead to local privilege escalation ..."
- "UnZip 5.52 was released on 27 February 2005."
<http://www.info-zip.org/UnZip.html>: "All versions of UnZip through
5.50 have a number of directory-traversal vulnerabilities ..."
/c> cygcheck -c zip; ls -og /bin/zip.exe
Cygwin Package Information
Package Version Status
zip 2.3-6 OK
-rwxrwxrwx 1 63488 2004-02-26 20:37:16 /bin/zip.exe
/c> cygcheck -c unzip; ls -og /bin/unzip.exe
Cygwin Package Information
Package Version Status
unzip 5.50-5 OK
-rwxrwxrwx 1 108544 2003-08-09 03:32:53 /bin/unzip.exe
Again, I do not mean to bug the maintainer and appreciate all the work
that s/he has done maintaining the zip and unzip packages.
- Barry
- Disclaimer: Statements made herein are not made on behalf of
NIAID.
- If you believe you received this e-mail in error, you are
probably sadly mistaken, but if not, aren't you lucky?
- Sending this e-mail does not constitute endorsement of the
contents; I may change my mind later.
- This e-mail may have been sent in haste; if any of its contents
are offensive, inappropriate, inaccurate, ungrammatical, misspelled, or
incomplete, too bad.
- Ideas in this e-mail are bigger than they appear and the writer
may be smarter than he appears.