Arch Linux

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#69739 - [unzip] add patch for CVE-2018-1000035

Attached to Project: Arch Linux
Opened by Conrad Hoffmann (conrausch) - Monday, 22 February 2021, 22:33 GMT
Last edited by Andreas Radke (AndyRTR) - Tuesday, 23 February 2021, 07:15 GMT
Task Type Bug Report
Category Packages: Extra
Status Assigned
Assigned To Lukas Fleischer (lfleischer)
Architecture All
Severity High
Priority Urgent
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 0
Private No



According to AVG-611 [1], the Arch unzip package is vulnerable to CVE-2018-1000035 [2]. Debian ships a patch [3] for this, see also the respective Debian bug report [4]. Since Arch already ships some Debian patches to unzip, maybe this one could be added and the AVG closed?

The patch applies cleanly. For what it's worth I am attaching the git diff I used for testing.


This task depends upon