Re: [SECURITY] [DLA 1846-1] unzip security update

To: debian-lts@lists.debian.org
Subject: Re: [SECURITY] [DLA 1846-1] unzip security update
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 28 Jul 2019 09:37:44 +0200
Message-id: <[🔎] 20190728073744.GA9941@eldamar.local>
Mail-followup-to: debian-lts@lists.debian.org
In-reply-to: <2ca0bdb8-4a72-083c-0f5a-14e00dcbae42@debian.org>
References: <2ca0bdb8-4a72-083c-0f5a-14e00dcbae42@debian.org>

Hi Markus,

On Sun, Jul 07, 2019 at 10:09:22PM +0200, Markus Koschany wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> Package        : unzip
> Version        : 6.0-16+deb8u4
> CVE ID         : CVE-2019-13232
> Debian Bug     : 931433
> 
> David Fifield discovered a way to construct non-recursive "zip bombs"
> that achieve a high compression ratio by overlapping files inside the
> zip container. However the output size increases quadratically in the
> input size, reaching a compression ratio of over 28 million
> (10 MB -> 281 TB) at the limits of the zip format which can cause a
> denial-of-service. Mark Adler provided a patch to detect and reject
> such zip files for the unzip program.

There is a functional regression by this update in unzip, with a patch
provided by Mark Adler, cf. #932404:

To reproduce the issue:

wget http://ftp.mozilla.org/pub/firefox/releases/68.0.1/linux-x86_64/en-US/firefox-68.0.1.tar.bz2
tar xvf firefox-68.0.1.tar.bz2 firefox/omni.ja firefox/browser/omni.ja
unzip firefox/omni.ja
unzip firefox/browser/omni.ja

Regards,
Salvatore

Reply to:

Follow-Ups:
- Re: [SECURITY] [DLA 1846-1] unzip security update
  - From: Markus Koschany <apo@debian.org>

Prev by Date: Re: [SECURITY] [DLA 1865-1] sdl-image1.2 security update
Next by Date: Re: [SECURITY] [DLA 1846-1] unzip security update
Previous by thread: rules for regression updates in DLAs (was Re: [SECURITY] [DLA 1865-1] sdl-image1.2 security update)
Next by thread: Re: [SECURITY] [DLA 1846-1] unzip security update
Index(es):
- Date
- Thread