Dear openSUSE factory maintainers,

I already created a comment on OBS in the Archiving:unzip package (https://build.opensuse.org/package/show/Archiving/unzip), which I guess is the base for factory:unzip.

But ... I'm writing here again because I can't even begin to imagine how many systems this bug has hit. How many installations were broken by this. How many deployment pipelines (like in our case) or manual app installations (like in our case) were broken again and again by this unzip bug.

Summary for the bug: When you extract a zip archive where the files do not have explicit permissions set, around one in 10,000 files gets (reproducibly) converted into a symlink! The former content of the file then gets converted into the link target. This bug is fixed in the debian/ubuntu version of unzip so my guess is that it's fixed by one of the missing CVE patches.

Usually I wouldn't be this alarmist but the basic and standard unzip program reproducibly and consistently breaking files on *all* Tumbleweed as well *all* Leap installations is pretty important I guess.

kind regards,

Kira Backes