Debian Bug report logs -
#931433
unzip: CVE-2019-13232
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#931433; Package src:unzip.
(Thu, 04 Jul 2019 20:54:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Santiago Vila <sanvila@debian.org>.
(Thu, 04 Jul 2019 20:54:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: unzip
Version: 6.0-23
Severity: important
Tags: security upstream
Control: found -1 6.0-21+deb9u1
Control: found -1 6.0-21
Hi,
The following vulnerability was published for unzip.
CVE-2019-13232[0]:
| Info-ZIP UnZip 6.0 mishandles the overlapping of files inside a ZIP
| container, leading to denial of service (resource consumption), aka a
| "better zip bomb" issue.
There seem to be a fork onf Info-Zip UnZip, trying to address this
issue, but not sure if we should follow that.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-13232
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13232
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions unzip/6.0-21+deb9u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Thu, 04 Jul 2019 20:54:04 GMT) (full text, mbox, link).
Marked as found in versions unzip/6.0-21.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Thu, 04 Jul 2019 20:54:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#931433; Package src:unzip.
(Fri, 05 Jul 2019 11:00:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Santiago Vila <sanvila@unex.es>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>.
(Fri, 05 Jul 2019 11:00:02 GMT) (full text, mbox, link).
Message #14 received at 931433@bugs.debian.org (full text, mbox, reply):
On Thu, Jul 04, 2019 at 10:50:46PM +0200, Salvatore Bonaccorso wrote:
> Source: unzip
> Version: 6.0-23
> Severity: important
> Tags: security upstream
> Control: found -1 6.0-21+deb9u1
> Control: found -1 6.0-21
>
> Hi,
>
> The following vulnerability was published for unzip.
>
> CVE-2019-13232[0]:
> | Info-ZIP UnZip 6.0 mishandles the overlapping of files inside a ZIP
> | container, leading to denial of service (resource consumption), aka a
> | "better zip bomb" issue.
>
> There seem to be a fork onf Info-Zip UnZip, trying to address this
> issue, but not sure if we should follow that.
Hello Salvatore. Thanks for the report.
You probably mean the github repository by Mark Adler:
https://github.com/madler/unzip
The description says "Fork of InfoZIP UnZip 6.0 for new zip bomb
detection patch" so I would consider this just as a way to distribute
the patch fixing the bug, more than a proper "fork".
(Note: Mark Adler was one of the original unzip authors, I'm glad
to see him still around).
I'll contact Steven M Schweda, the current maintainer.
Thanks.
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri Jul 5 11:21:11 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon