Package: unzip
Version: 6.0-24
Severity: normal

Dear Maintainer,

zip bomb detection introduced in 6.0-24 (see #931433
<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931433> and CVE-2019-13232)
causes unzip to reject many jar files distributed in the Java ecosystem.

Workaround is to downgrade to unzip 6.0-23.

Examples:

$ find .gradle .m2 java -name "*.jar" -type f -size +0c -print -exec unzip -tq
{} \; 2>&1 | grep -B1 invalid
.gradle/wrapper/dists/gradle-5.2.1-bin/9lc4nzslqh3ep7ml2tp68fk8s/gradle-5.2.1/lib/groovy-
all-1.0-2.5.4.jar
error: invalid zip file with overlapped components (possible zip bomb)
--
.gradle/wrapper/dists/gradle-5.4.1-bin/e75iq110yv9r9wt1a6619x2xm/gradle-5.4.1/lib/gradle-
kotlin-dsl-5.4.1.jar
error: invalid zip file with overlapped components (possible zip bomb)
--
.gradle/wrapper/dists/gradle-5.4.1-bin/e75iq110yv9r9wt1a6619x2xm/gradle-5.4.1/lib/plugins/gradle-
kotlin-dsl-tooling-builders-5.4.1.jar
error: invalid zip file with overlapped components (possible zip bomb)
--
.gradle/wrapper/dists/gradle-5.4.1-bin/e75iq110yv9r9wt1a6619x2xm/gradle-5.4.1/lib/plugins/gradle-
kotlin-dsl-provider-plugins-5.4.1.jar
error: invalid zip file with overlapped components (possible zip bomb)
--
.gradle/wrapper/dists/gradle-5.4.1-bin/e75iq110yv9r9wt1a6619x2xm/gradle-5.4.1/lib/groovy-
all-1.0-2.5.4.jar
error: invalid zip file with overlapped components (possible zip bomb)
--
.m2/repository/org/ow2/asm/asm-tree/5.0.3/asm-tree-5.0.3-sources.jar
error: invalid zip file with overlapped components (possible zip bomb)
--
.m2/repository/org/ow2/asm/asm-util/5.0.3/asm-util-5.0.3-sources.jar
error: invalid zip file with overlapped components (possible zip bomb)
--
.m2/repository/org/ow2/asm/asm/5.0.3/asm-5.0.3-sources.jar
error: invalid zip file with overlapped components (possible zip bomb)
--
.m2/repository/org/ow2/asm/asm-analysis/5.0.3/asm-analysis-5.0.3-sources.jar
error: invalid zip file with overlapped components (possible zip bomb)
--
.m2/repository/org/springframework/spring-orm/4.2.5.RELEASE/spring-
orm-4.2.5.RELEASE-sources.jar
error: invalid zip file with overlapped components (possible zip bomb)
--
.m2/repository/org/springframework/spring-orm/4.3.7.RELEASE/spring-
orm-4.3.7.RELEASE-sources.jar
error: invalid zip file with overlapped components (possible zip bomb)
--
.m2/repository/org/springframework/spring-beans/4.3.16.RELEASE/spring-
beans-4.3.16.RELEASE-sources.jar
error: invalid zip file with overlapped components (possible zip bomb)
--
.m2/repository/org/springframework/spring-beans/4.2.5.RELEASE/spring-
beans-4.2.5.RELEASE-sources.jar
error: invalid zip file with overlapped components (possible zip bomb)
--
.m2/repository/org/springframework/spring-beans/4.3.18.RELEASE/spring-
beans-4.3.18.RELEASE-sources.jar
error: invalid zip file with overlapped components (possible zip bomb)
--
.m2/repository/org/springframework/spring-beans/4.3.7.RELEASE/spring-
beans-4.3.7.RELEASE-sources.jar
error: invalid zip file with overlapped components (possible zip bomb)
--
java/gradle-5.5.1/lib/plugins/gradle-kotlin-dsl-tooling-builders-5.5.1.jar
error: invalid zip file with overlapped components (possible zip bomb)
--
java/gradle-5.5.1/lib/plugins/gradle-kotlin-dsl-provider-plugins-5.5.1.jar
error: invalid zip file with overlapped components (possible zip bomb)
--
java/gradle-5.5.1/lib/gradle-kotlin-dsl-5.5.1.jar
error: invalid zip file with overlapped components (possible zip bomb)
java/gradle-5.5.1/lib/groovy-all-1.0-2.5.4.jar
error: invalid zip file with overlapped components (possible zip bomb)

Kind regards,
Ben.



-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8), LANGUAGE=en_GB:en 
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages unzip depends on:
ii  libbz2-1.0  1.0.6-9.2
ii  libc6       2.28-10

unzip recommends no packages.

Versions of packages unzip suggests:
ii  zip  3.0-11+b1

-- no debconf information

Reply via email to