Your message dated Thu, 11 Jul 2019 16:37:40 +0000
with message-id <[email protected]>
and subject line Bug#931433: fixed in unzip 6.0-24
has caused the Debian Bug report #931433,
regarding unzip: CVE-2019-13232
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
931433: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931433
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: unzip
Version: 6.0-23
Severity: important
Tags: security upstream
Control: found -1 6.0-21+deb9u1
Control: found -1 6.0-21
Hi,
The following vulnerability was published for unzip.
CVE-2019-13232[0]:
| Info-ZIP UnZip 6.0 mishandles the overlapping of files inside a ZIP
| container, leading to denial of service (resource consumption), aka a
| "better zip bomb" issue.
There seem to be a fork onf Info-Zip UnZip, trying to address this
issue, but not sure if we should follow that.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-13232
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13232
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: unzip
Source-Version: 6.0-24
We believe that the bug you reported is fixed in the latest version of
unzip, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Santiago Vila <[email protected]> (supplier of updated unzip package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 11 Jul 2019 18:03:34 +0200
Source: unzip
Architecture: source
Version: 6.0-24
Distribution: unstable
Urgency: medium
Maintainer: Santiago Vila <[email protected]>
Changed-By: Santiago Vila <[email protected]>
Closes: 931433
Changes:
unzip (6.0-24) unstable; urgency=medium
.
* Apply two patches by Mark Adler:
- Fix bug in undefer_input() that misplaced the input state.
- Detect and reject a zip bomb using overlapped entries. Closes: #931433.
Bug discovered by David Fifield. For reference, this is CVE-2019-13232.
Checksums-Sha1:
95b393f68128c8d0b6392f9c46068f0421745636 1344 unzip_6.0-24.dsc
4eb6b4a97af769ef197f7889050ba80d0f8d4aae 22064 unzip_6.0-24.debian.tar.xz
9f26f7bd3524b70a7ead460c7f2bb762f0ed7fe2 4862 unzip_6.0-24_source.buildinfo
Checksums-Sha256:
c2ae3430e7f80e3393ce654f8964a9b47a0510791f2f34e4b09d565457f62af8 1344
unzip_6.0-24.dsc
f11f6c939275201f52afb578e6625e470cd372c2e55e35e3f361d245b47c4961 22064
unzip_6.0-24.debian.tar.xz
9b4963ebf7789c4e99a0310db1a5bfa67d62201d0fad32bcc2435753ae2dec8a 4862
unzip_6.0-24_source.buildinfo
Files:
17529631e8f7c70ccb18256e24550ec4 1344 utils optional unzip_6.0-24.dsc
6311cf07e568328d7c85483de8cb8bf9 22064 utils optional
unzip_6.0-24.debian.tar.xz
b86fb35651ff11ee559c31f1ca28f664 4862 utils optional
unzip_6.0-24_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEE1Uw7+v+wQt44LaXXQc5/C58bizIFAl0nXloACgkQQc5/C58b
izLHGQf8D+gHv+sk+tQS5KGByTtcTs8Z06L9ZhWiHW0DOVFdalzeYZdO9F+VjZrX
iWNGwRUeFAkHvFQPnry09WLFgG+YhZvJlyA1b0bryZEyMt93XLkrhMPT54g+pbdY
i7oXsZogEFnS5pcmMN9TTr7UTwx76Go0GqeN/rA/RKoDor1wmtjHKFP4BcjwkBjv
1fWU+V5m/cib4/UI5QnaL90xAtRNcCQQELEDkPrsWHRX7f8/EKG4mSlgU92Sulm9
2lqj+AlZBm7BmAxBawa3deR9z/SXTswueFMdKy2ry9ij6GgCWpDMJy/kXn8e4W9s
0obpZbFXFI4cbPChe9WfOD0iovuuuQ==
=cKhs
-----END PGP SIGNATURE-----
--- End Message ---
