Re: [SECURITY] [DLA 1846-1] unzip security update

To: debian-lts@lists.debian.org
Subject: Re: [SECURITY] [DLA 1846-1] unzip security update
From: Markus Koschany <apo@debian.org>
Date: Sun, 28 Jul 2019 11:45:26 -0300
Message-id: <[🔎] 6f9a4055-7ed0-4540-befa-ee3c6b9d0d5c@debian.org>
In-reply-to: <[🔎] 20190728073744.GA9941@eldamar.local>
References: <2ca0bdb8-4a72-083c-0f5a-14e00dcbae42@debian.org> <[🔎] 20190728073744.GA9941@eldamar.local>

Hi Salvatore,

Am 28.07.19 um 04:37 schrieb Salvatore Bonaccorso:
[...]
> There is a functional regression by this update in unzip, with a patch
> provided by Mark Adler, cf. #932404:
> 
> To reproduce the issue:
> 
> wget http://ftp.mozilla.org/pub/firefox/releases/68.0.1/linux-x86_64/en-US/firefox-68.0.1.tar.bz2
> tar xvf firefox-68.0.1.tar.bz2 firefox/omni.ja firefox/browser/omni.ja
> unzip firefox/omni.ja
> unzip firefox/browser/omni.ja

Thanks for reporting this issue. I could reproduce it and intend to
release an update shortly. Please note that the zip file in question,
omni.ja, is invalid according to the zip standard and unzip already
reports an error when extracting it, although it tries to compensate for
that.

P.S.: I don't understand why you have marked CVE-2019-13232 as
unimportant though. According to the security tracker documentation the
definition for unimportant is [1]

In my opinion your assumption that "any server implementing automatic
extraction needs to apply resource limits anyway" is like assuming that
all server operators always implement adequate security protections for
all scenarios that may arise from running the services. We all know this
is not true in real life. Also it is perfectly possible that someone
sends out spam emails with a (concealed) zip bomb attached which may be
opened by an unsuspecting user. Non tech-savvy people quickly run into
troubles when they unpack such a file and don't realize that their
entire hard disk will fill-up in minutes. If at all no-dsa would be more
appropriate than unimportant.

Regards,

Markus


[1] unimportant: This problem does not affect the Debian binary package,
e.g., a vulnerable source file, which is not built, a vulnerable file in
doc/foo/examples/, PHP Safe mode bugs, path disclosure (doesn't matter
on Debian). All "non-issues in practice" fall also into this category,
like issues only "exploitable" if the code in question is setuid root,
exploits which only work if someone already has administrative
privileges or similar. This severity is also used for vulnerabilities in
packages which are not covered by security support.

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

References:
- Re: [SECURITY] [DLA 1846-1] unzip security update
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Re: [SECURITY] [DLA 1846-1] unzip security update
Next by Date: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity
Previous by thread: Re: [SECURITY] [DLA 1846-1] unzip security update
Next by thread: firefox-esr 60.8.0esr-1 still missing for jessie
Index(es):
- Date
- Thread