On Fri, Jul 26, 2019 at 04:01:15AM +, Adler, Mark wrote:
> All,
>
> Thank you Santiago for the report and David for the diagnosis. Though this is
> not a valid zip file, there are in fact no overlapping structures and so
> there should not be a bomb alert.
>
> I have added a commit that ini
All,
Thank you Santiago for the report and David for the diagnosis. Though this is
not a valid zip file, there are in fact no overlapping structures and so there
should not be a bomb alert.
I have added a commit that initializes the cover with the actual spans of the
central directory, the Zip
On Fri, Jul 19, 2019 at 08:30:32AM +0900, Mike Hommey wrote:
> Download
> http://ftp.mozilla.org/pub/firefox/releases/68.0.1/linux-x86_64/en-US/firefox-68.0.1.tar.bz2
> Extract it
> Unzip omni.ja
>
> The file *is* funky, but afaik it does not have overlapping components.
I think I know what's go
Hello Mark.
The Debian firefox package no longer builds from source when using the
patched unzip and I'm told this is a "false positive". Is it?
This is the way to reproduce it:
wget
http://ftp.mozilla.org/pub/firefox/releases/68.0.1/linux-x86_64/en-US/firefox-68.0.1.tar.bz2
tar xvf firefox-68.
On Fri, Jul 19, 2019 at 01:19:15AM +0200, Santiago Vila wrote:
> On Fri, 19 Jul 2019, Mike Hommey wrote:
>
> > reassign -1 unzip
> > found -1 6.0-24
> > notfound -1 6.0-23
> >
> > This is a false positive from the changes in unzip 6.0-24.
>
> Please note that this is not necessarily a false posi
On Fri, 19 Jul 2019, Mike Hommey wrote:
> reassign -1 unzip
> found -1 6.0-24
> notfound -1 6.0-23
>
> This is a false positive from the changes in unzip 6.0-24.
Please note that this is not necessarily a false positive.
It could be a buggy zipfile as well, like the ones reported here:
https://
reassign -1 unzip
found -1 6.0-24
notfound -1 6.0-23
This is a false positive from the changes in unzip 6.0-24.
On Thu, Jul 18, 2019 at 09:04:24PM +0100, peter green wrote:
> package: firefox-esr
> version: 60.8.0esr-1
> severity: serious
>
> While trying to update firefox-esr in raspbian bullse
package: firefox-esr
version: 60.8.0esr-1
severity: serious
While trying to update firefox-esr in raspbian bullseye I ran into a "possible zip
bomb" error. The failure also shows up on the reproducible builds site for i386 and
arm64 so it's not raspbian specific.
warning [debian/tmp/usr/lib/f
8 matches
Mail list logo
