The NEEDBITS macro in the inflate_dynamic function in inflate.c for unzip can be invoked using invalid buffers, which allows remote attackers to cause a denial of service (crash) and possible execute arbitrary code via unknown vectors that trigger a free of uninitialized or previously-freed data.

More... (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0888)