On Thu, Jul 04, 2019 at 10:50:46PM +0200, Salvatore Bonaccorso wrote: > Source: unzip > Version: 6.0-23 > Severity: important > Tags: security upstream > Control: found -1 6.0-21+deb9u1 > Control: found -1 6.0-21 > > Hi, > > The following vulnerability was published for unzip. > > CVE-2019-13232[0]: > | Info-ZIP UnZip 6.0 mishandles the overlapping of files inside a ZIP > | container, leading to denial of service (resource consumption), aka a > | "better zip bomb" issue. > > There seem to be a fork onf Info-Zip UnZip, trying to address this > issue, but not sure if we should follow that.
Hello Salvatore. Thanks for the report. You probably mean the github repository by Mark Adler: https://github.com/madler/unzip The description says "Fork of InfoZIP UnZip 6.0 for new zip bomb detection patch" so I would consider this just as a way to distribute the patch fixing the bug, more than a proper "fork". (Note: Mark Adler was one of the original unzip authors, I'm glad to see him still around). I'll contact Steven M Schweda, the current maintainer. Thanks.
