Bug#963996: /usr/bin/unzip: Bomb detection fails with out of memory error when extracting bzip2-compressed files

2020-07-03 Thread Spencer Harris 
I researched this a bit more and found that Mark Adler patched this in his fork.

See 

and 
.

Bug#963996: /usr/bin/unzip: Bomb detection fails with out of memory error when extracting bzip2-compressed files

2020-06-29 Thread Spencer Harris 
Package: unzip
Version: 6.0-25
Severity: normal
File: /usr/bin/unzip

Dear Maintainer,

When using unzip to attempt to extract a zip file containing certain
bzip2-compressed files, unzip fails after extracting the first file with the
error, "not enough memory for bomb detection". Versions without the bomb
detection patches seem to have no problems handling bzip2 decompression. Not
all bzip2-compressed files produce this error.

To test this, I compressed the files "zip.h" and "zipinfo.c" from the
unpatched unzip sources with the command
"zip -Z bzip2 test.zip zip.h zipinfo.c", moved test.zip, and attempted to
extract with "unzip test.zip". This resulted in zip.h getting extracted,
followed by the aforementioned error message. zipinfo.c was not extracted.
Changing the order of the files to "zip -Z bzip2 test.zip zipinfo.c zip.h"
resulted in both files being extracted, with the error once again after zip.h.
Compressing each file by itself also resulted in an error when extracting
zip.h, albeit with the file being produced successfully, and no problems with
zipinfo.c.


-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 5.6.0-2-amd64 (SMP w/2 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages unzip depends on:
ii  libbz2-1.0  1.0.8-3
ii  libc6   2.30-8

unzip recommends no packages.

Versions of packages unzip suggests:
ii  zip  3.0-11+b1

-- no debconf information