On Fri, Jul 12, 2019 at 04:32:53PM +0000, Adler, Mark wrote: > Santiago, > > Thank you for the report. > > I downloaded the four false-positive zip files from the bugreport page, and > none of them showed a zip bomb error (or any other error). > > How exactly did you apply the fix? Did you download the complete source from > github? > Or did you try to selectively apply a commit?
I applied the commits I believed to be the fix for the zipbomb issue, i.e. these two: commit 41beb477c5744bc396fa1162ee0c14218ec12213 Fix bug in undefer_input() that misplaced the input state. commit 47b3ceae397d21bf822bc2ac73052a4b1daf8e1c Detect and reject a zip bomb using overlapped entries. (The Debian version in turn had already a bunch of other changes to fix other CVE issues and other misc fixes, I hope there are not incompatibilities). Thanks.

