Might be vulnerable to GLSA 200804-06?
Bundled sources from unzip do not include inflate.c (vulnerable part from GLSA 200804-06), so it's not affected. Don't know if using external unzip is easy/feasible, though
Package last rites in progress in bug #462472