Deficiencies in our unzip60 build
|Reported by:||Owned by:|
We know that there hav been locale issues in the past, which none of s can test. Today I hit a test failure in Archive::Zip (new test in the last few months) which seems to be happening because our unzip cannot deal with zip archives which contain a member compressed with bzip2.
Looking at fedora, they apply the usual shed load of patches, including a fix for the bzip2 problem, fixes for locales, and a mass of security and hardening fixes, some of which have CVEs going back to 2014 (and documented in debian), others of which are overflows (buffer, heep). At least some of these come from upstream InfoZip.
AFAICS upstream appears to be defunct (from the sourceforge page, 6.1 was in development, and likely to be the last version - but that page was last updated in 2009).
I'll look through the patches to see which seem unnecessary (so far a typo in a manpage and a change to permit symlinks). A quick and dirty test with only the configure patches shows that unzip and zipinfo will be linked to libbz2.so.