Hi Santiago, On Fri, Jul 05, 2019 at 12:57:31PM +0200, Santiago Vila wrote: > On Thu, Jul 04, 2019 at 10:50:46PM +0200, Salvatore Bonaccorso wrote: > > Source: unzip > > Version: 6.0-23 > > Severity: important > > Tags: security upstream > > Control: found -1 6.0-21+deb9u1 > > Control: found -1 6.0-21 > > > > Hi, > > > > The following vulnerability was published for unzip. > > > > CVE-2019-13232[0]: > > | Info-ZIP UnZip 6.0 mishandles the overlapping of files inside a ZIP > > | container, leading to denial of service (resource consumption), aka a > > | "better zip bomb" issue. > > > > There seem to be a fork onf Info-Zip UnZip, trying to address this > > issue, but not sure if we should follow that. > > Hello Salvatore. Thanks for the report. > > You probably mean the github repository by Mark Adler: > > https://github.com/madler/unzip > > The description says "Fork of InfoZIP UnZip 6.0 for new zip bomb > detection patch" so I would consider this just as a way to distribute > the patch fixing the bug, more than a proper "fork". > > (Note: Mark Adler was one of the original unzip authors, I'm glad > to see him still around). > > I'll contact Steven M Schweda, the current maintainer.
Thank you! Regards, Salvatore
