On 18/07/2019 03:05, Santiago Vila wrote:
According to Mark Adler, those jar files are buggy:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931895#73
Mark, thanks very much for your detailed analysis.
Simple question: Do those jar files come from any package that we
(Debian) distribute?
Hi.
According to Mark Adler, those jar files are buggy:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931895#73
Simple question: Do those jar files come from any package that we
(Debian) distribute? If yes, I'd like to reassign the bug. If not, I
guess closing the bug as "not really a bug"
Thanks a lot, Mark, for such a comprehensive reply!
I'll ask the submitter where exactly those files come from,
but there is indeed little to do on my side.
Thanks.
All,
Ok, I looked into it. Those jar files are seriously messed up. Any
self-respecting unzipper would be well within its rights to reject them as
invalid. As it turns out, my patch to unzip is doing exactly what it’s supposed
to. Something that processed those jar files has a bug.
In each of
Ben,
Ah, no, I did not test the jar files. I just did, and indeed I am seeing the
reported zip bomb detections.
Thanks. I’ll look into it.
Mark
> On Jul 12, 2019, at 3:22 PM, Ben Caradoc-Davies wrote:
>
> On 13/07/2019 04:32, Adler, Mark wrote:
>> I downloaded the four false-positive zip
On 13/07/2019 04:32, Adler, Mark wrote:
I downloaded the four false-positive zip files from the bugreport page, and
none of them showed a zip bomb error (or any other error).
Mark,
the zip bomb error is seen when unzipping the 17 jar files contained
within the four zip files. Did you test
> > (The Debian version in turn had already a bunch of other changes to
> > fix other CVE issues and other misc fixes, I hope there are not
> > incompatibilities).
>
> Well, apparently there is an incompatibility. I can make no promises about
> applying those commits to an unzip source of
On Fri, Jul 12, 2019 at 04:32:53PM +, Adler, Mark wrote:
> Santiago,
>
> Thank you for the report.
>
> I downloaded the four false-positive zip files from the bugreport page, and
> none of them showed a zip bomb error (or any other error).
>
> How exactly did you apply the fix? Did you
On Jul 12, 2019, at 9:43 AM, Santiago Vila wrote:
> I applied the commits I believed to be the fix for the zipbomb issue, i.e.
> these two:
>
> commit 41beb477c5744bc396fa1162ee0c14218ec12213
> Fix bug in undefer_input() that misplaced the input state.
> commit
Santiago,
Thank you for the report.
I downloaded the four false-positive zip files from the bugreport page, and
none of them showed a zip bomb error (or any other error).
How exactly did you apply the fix? Did you download the complete source from
github? Or did you try to selectively apply a
Hello.
I applied your fix for the zip bomb issue to the Debian unzip package
and shortly afterwards I received this bug report from one of our users
(Ben Caradoc-Davies, in the Cc).
(Note: Our BTS is email-based, but I could also put an issue on github
if you prefer).
The full report is
11 matches
Mail list logo
