CVE-2016-9844 Unzip Project CVE debrief

Who should care

Administrators, distro maintainers, and developers who rely on Info-Zip UnZip 6.0 to process untrusted archives should pay attention. File ingestion pipelines, automated unpacking jobs, and any system that inspects user-supplied ZIP files are the most relevant exposure points.

Technical summary

The affected component is zi_short in zipinfo.c. The vulnerability is described as a buffer overflow triggered by an unusually large compression method value in the central directory file header of a ZIP archive. NVD lists the affected CPE as cpe:2.3:a:unzip_project:unzip:6.0:*:*:*:*:*:*:* and assigns CVSS v3.0 AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L, with CWE-119 as the primary weakness.

Defensive priority

Moderate. The issue is primarily a crash/availability problem, but it affects a widely used archive utility and can be triggered by malformed input. Systems that automatically unpack untrusted ZIP files should be prioritized for review.

Recommended defensive actions

• Inventory systems and applications that ship or bundle Info-Zip UnZip 6.0.
• Apply the vendor or distribution update that addresses the vulnerability.
• Avoid processing untrusted archives with UnZip 6.0 where possible.
• Run archive extraction in a sandboxed or low-privilege environment.
• Monitor for unexpected crashes in workflows that inspect ZIP central directory metadata.

Evidence notes

The NVD record identifies Info-Zip UnZip 6.0 as affected and lists CWE-119, CVSS v3.0 AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L, and a ZIP central-directory-related overflow in zi_short. The supplied references include oss-security postings dated 2016-12-05, a SecurityFocus entry, and an Ubuntu Launchpad issue, all consistent with public disclosure and downstream tracking.

Official resources