> > (The Debian version in turn had already a bunch of other changes to > > fix other CVE issues and other misc fixes, I hope there are not > > incompatibilities). > > Well, apparently there is an incompatibility. I can make no promises about > applying those commits to an unzip source of unknown provenance.
I understand, that's why I also contacted Steven Schweda for the zipbomb issue. > Where do I find this source? The source is distributed as the original tarball (which you already have) plus this: http://deb.debian.org/debian/pool/main/u/unzip/unzip_6.0-24.debian.tar.xz [ We use quilt here. Patches are in debian/patches and they are applied sequentially in the order stated by debian/patches/series ]. Thanks.
