Hi Markus, On Sun, Jul 07, 2019 at 10:09:22PM +0200, Markus Koschany wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Package : unzip > Version : 6.0-16+deb8u4 > CVE ID : CVE-2019-13232 > Debian Bug : 931433 > > David Fifield discovered a way to construct non-recursive "zip bombs" > that achieve a high compression ratio by overlapping files inside the > zip container. However the output size increases quadratically in the > input size, reaching a compression ratio of over 28 million > (10 MB -> 281 TB) at the limits of the zip format which can cause a > denial-of-service. Mark Adler provided a patch to detect and reject > such zip files for the unzip program.
There is a functional regression by this update in unzip, with a patch provided by Mark Adler, cf. #932404: To reproduce the issue: wget http://ftp.mozilla.org/pub/firefox/releases/68.0.1/linux-x86_64/en-US/firefox-68.0.1.tar.bz2 tar xvf firefox-68.0.1.tar.bz2 firefox/omni.ja firefox/browser/omni.ja unzip firefox/omni.ja unzip firefox/browser/omni.ja Regards, Salvatore
