Tavis Ormandy discovered that unzip, when processing specially crafted
ZIP archives, could pass invalid pointers to the C library’s free
routine, potentially leading to arbitrary code execution
(CVE-2008-0888).
For the old stable distribution (sarge), this problem has been fixed
in version 5.52-1sarge5.
For the stable distribution (etch), this problem has been fixed in
version 5.52-9etch1.
The unstable distribution (sid) will be fixed soon.
We recommend that you upgrade your unzip package.