It has been reported that versions 5.42 and prior of the unzip utility allow a malicious tar archive to overwrite arbitrary files on the system by embedding reverse directory traversal notation with ('..') in the file names.
Urchin 4 ships with unzip 5.50 as part of its utility suite. This version of unzip does not contain this vulnerability.