The 3rd-party security advisory suggests that the bugs are fixed in
UnZip 6.1c23:

https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html

See unzip610c23.zip here:

http://antinode.info/ftp/info-zip/

Unfortunately, this is a zip file, unlike the 9 year old tarball on the
UnZip SourceForge page.

Any advice? I suppose we could keep the old UnZip package just to unpack
the new one.