[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DLA 1846-1] unzip security update

Hi Markus,

On Sun, Jul 07, 2019 at 10:09:22PM +0200, Markus Koschany wrote:
> Hash: SHA512
> Package        : unzip
> Version        : 6.0-16+deb8u4
> CVE ID         : CVE-2019-13232
> Debian Bug     : 931433
> David Fifield discovered a way to construct non-recursive "zip bombs"
> that achieve a high compression ratio by overlapping files inside the
> zip container. However the output size increases quadratically in the
> input size, reaching a compression ratio of over 28 million
> (10 MB -> 281 TB) at the limits of the zip format which can cause a
> denial-of-service. Mark Adler provided a patch to detect and reject
> such zip files for the unzip program.

There is a functional regression by this update in unzip, with a patch
provided by Mark Adler, cf. #932404:

To reproduce the issue:

wget http://ftp.mozilla.org/pub/firefox/releases/68.0.1/linux-x86_64/en-US/firefox-68.0.1.tar.bz2
tar xvf firefox-68.0.1.tar.bz2 firefox/omni.ja firefox/browser/omni.ja
unzip firefox/omni.ja
unzip firefox/browser/omni.ja


Reply to: