Hi Salvatore, Am 28.07.19 um 04:37 schrieb Salvatore Bonaccorso: [...] > There is a functional regression by this update in unzip, with a patch > provided by Mark Adler, cf. #932404: > > To reproduce the issue: > > wget > http://ftp.mozilla.org/pub/firefox/releases/68.0.1/linux-x86_64/en-US/firefox-68.0.1.tar.bz2 > tar xvf firefox-68.0.1.tar.bz2 firefox/omni.ja firefox/browser/omni.ja > unzip firefox/omni.ja > unzip firefox/browser/omni.ja
Thanks for reporting this issue. I could reproduce it and intend to release an update shortly. Please note that the zip file in question, omni.ja, is invalid according to the zip standard and unzip already reports an error when extracting it, although it tries to compensate for that. P.S.: I don't understand why you have marked CVE-2019-13232 as unimportant though. According to the security tracker documentation the definition for unimportant is [1] In my opinion your assumption that "any server implementing automatic extraction needs to apply resource limits anyway" is like assuming that all server operators always implement adequate security protections for all scenarios that may arise from running the services. We all know this is not true in real life. Also it is perfectly possible that someone sends out spam emails with a (concealed) zip bomb attached which may be opened by an unsuspecting user. Non tech-savvy people quickly run into troubles when they unpack such a file and don't realize that their entire hard disk will fill-up in minutes. If at all no-dsa would be more appropriate than unimportant. Regards, Markus [1] unimportant: This problem does not affect the Debian binary package, e.g., a vulnerable source file, which is not built, a vulnerable file in doc/foo/examples/, PHP Safe mode bugs, path disclosure (doesn't matter on Debian). All "non-issues in practice" fall also into this category, like issues only "exploitable" if the code in question is setuid root, exploits which only work if someone already has administrative privileges or similar. This severity is also used for vulnerabilities in packages which are not covered by security support.
signature.asc
Description: OpenPGP digital signature
