On 13/07/2019 04:32, Adler, Mark wrote:
I downloaded the four false-positive zip files from the bugreport page, and
none of them showed a zip bomb error (or any other error).
Mark,
the zip bomb error is seen when unzipping the 17 jar files contained
within the four zip files. Did you test these inner jar files? I used
(in bash):
$ for f in *.jar; do echo $f; unzip -tq $f; done
The outer zip files are there because many email filters block all email
with jar attachments, and Debian BTS is email-based.
It would also be nice if unzip reported the filename when rejecting a
suspected zip bomb, as it does when reporting "No errors detected".
Kind regards,
--
Ben Caradoc-Davies <b...@transient.nz>
Director
Transient Software Limited <https://transient.nz/>
New Zealand
