stapelberg/info-zip.txt

## info-zip.txt
I did the following analysis on the status of publicly reported security
vulnerabilities in info-zip, the unzip implementation used by all major Linux
distributions (as well as OpenBSD and NetBSD).

| CVE              | impact | debian | rhel    | fedora | arch  | gentoo | OpenBSD |
| CVE-2018-18384   | (n/a)  | fixed  | vuln    | fixed  | fixed | fixed  | vuln    |
| CVE-2018-1000035 | high   | vuln   | wontfix | fixed  | vuln  | vuln   | vuln    |
| CVE-2016-9844    | medium | fixed  | wontfix | fixed  | fixed | fixed  | vuln    |

Disclaimer: some distributions might have system-wide protections against some
of these vulnerabilities; I haven’t checked.

I expect that this is a reasonable sample of the distributions to get my point
across. My take-away is that info-zip’s lack of maintenance puts an undue burden
on package maintainers (to keep up with patches), which can also turn into
security issues.

Note that Debian and Fedora maintain custom unzip patches.
	I did the following analysis on the status of publicly reported security
	vulnerabilities in info-zip, the unzip implementation used by all major Linux
	distributions (as well as OpenBSD and NetBSD).

	\| CVE \| impact \| debian \| rhel \| fedora \| arch \| gentoo \| OpenBSD \|
	\| CVE-2018-18384 \| (n/a) \| fixed \| vuln \| fixed \| fixed \| fixed \| vuln \|
	\| CVE-2018-1000035 \| high \| vuln \| wontfix \| fixed \| vuln \| vuln \| vuln \|
	\| CVE-2016-9844 \| medium \| fixed \| wontfix \| fixed \| fixed \| fixed \| vuln \|

	Disclaimer: some distributions might have system-wide protections against some
	of these vulnerabilities; I haven’t checked.

	I expect that this is a reasonable sample of the distributions to get my point
	across. My take-away is that info-zip’s lack of maintenance puts an undue burden
	on package maintainers (to keep up with patches), which can also turn into
	security issues.

	Note that Debian and Fedora maintain custom unzip patches.