Bug#931895: [b...@transient.nz: Bug#931895: unzip: zip bomb false positives in Java ecosystem]

2019-07-17 Thread Ben Caradoc-Davies
On 18/07/2019 03:05, Santiago Vila wrote: According to Mark Adler, those jar files are buggy: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931895#73 Mark, thanks very much for your detailed analysis. Simple question: Do those jar files come from any package that we (Debian) distribute?

Bug#931895: [b...@transient.nz: Bug#931895: unzip: zip bomb false positives in Java ecosystem]

2019-07-17 Thread Santiago Vila
Hi. According to Mark Adler, those jar files are buggy: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931895#73 Simple question: Do those jar files come from any package that we (Debian) distribute? If yes, I'd like to reassign the bug. If not, I guess closing the bug as "not really a bug"

Bug#931895: [b...@transient.nz: Bug#931895: unzip: zip bomb false positives in Java ecosystem]

2019-07-17 Thread Santiago Vila
Thanks a lot, Mark, for such a comprehensive reply! I'll ask the submitter where exactly those files come from, but there is indeed little to do on my side. Thanks.

Bug#931895: [b...@transient.nz: Bug#931895: unzip: zip bomb false positives in Java ecosystem]

2019-07-16 Thread Adler, Mark
All, Ok, I looked into it. Those jar files are seriously messed up. Any self-respecting unzipper would be well within its rights to reject them as invalid. As it turns out, my patch to unzip is doing exactly what it’s supposed to. Something that processed those jar files has a bug. In each of

Bug#931895: [b...@transient.nz: Bug#931895: unzip: zip bomb false positives in Java ecosystem]

2019-07-12 Thread Adler, Mark
Ben, Ah, no, I did not test the jar files. I just did, and indeed I am seeing the reported zip bomb detections. Thanks. I’ll look into it. Mark > On Jul 12, 2019, at 3:22 PM, Ben Caradoc-Davies wrote: > > On 13/07/2019 04:32, Adler, Mark wrote: >> I downloaded the four false-positive zip

Bug#931895: [b...@transient.nz: Bug#931895: unzip: zip bomb false positives in Java ecosystem]

2019-07-12 Thread Ben Caradoc-Davies
On 13/07/2019 04:32, Adler, Mark wrote: I downloaded the four false-positive zip files from the bugreport page, and none of them showed a zip bomb error (or any other error). Mark, the zip bomb error is seen when unzipping the 17 jar files contained within the four zip files. Did you test

Bug#931895: [b...@transient.nz: Bug#931895: unzip: zip bomb false positives in Java ecosystem]

2019-07-12 Thread Santiago Vila
> > (The Debian version in turn had already a bunch of other changes to > > fix other CVE issues and other misc fixes, I hope there are not > > incompatibilities). > > Well, apparently there is an incompatibility. I can make no promises about > applying those commits to an unzip source of

Bug#931895: [b...@transient.nz: Bug#931895: unzip: zip bomb false positives in Java ecosystem]

2019-07-12 Thread Santiago Vila
On Fri, Jul 12, 2019 at 04:32:53PM +, Adler, Mark wrote: > Santiago, > > Thank you for the report. > > I downloaded the four false-positive zip files from the bugreport page, and > none of them showed a zip bomb error (or any other error). > > How exactly did you apply the fix? Did you

Bug#931895: [b...@transient.nz: Bug#931895: unzip: zip bomb false positives in Java ecosystem]

2019-07-12 Thread Adler, Mark
On Jul 12, 2019, at 9:43 AM, Santiago Vila wrote: > I applied the commits I believed to be the fix for the zipbomb issue, i.e. > these two: > > commit 41beb477c5744bc396fa1162ee0c14218ec12213 > Fix bug in undefer_input() that misplaced the input state. > commit

Bug#931895: [b...@transient.nz: Bug#931895: unzip: zip bomb false positives in Java ecosystem]

2019-07-12 Thread Adler, Mark
t; Date: Fri, 12 Jul 2019 11:52:14 +1200 > From: Ben Caradoc-Davies > To: Debian Bug Tracking System > Subject: Bug#931895: unzip: zip bomb false positives in Java ecosystem > X-Mailer: reportbug 7.5.2 > > Package: unzip > Version: 6.0-24 > Severity: normal >

Bug#931895: [b...@transient.nz: Bug#931895: unzip: zip bomb false positives in Java ecosystem]

2019-07-12 Thread Santiago Vila
is available here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931895 Thanks. - Forwarded message from Ben Caradoc-Davies - Date: Fri, 12 Jul 2019 11:52:14 +1200 From: Ben Caradoc-Davies To: Debian Bug Tracking System Subject: Bug#931895: unzip: zip bomb false positives in Java ecosystem

Bug#931895: unzip: zip bomb false positives in Java ecosystem

2019-07-11 Thread Ben Caradoc-Davies
With the 17 affected jar files in the current working directory: unzip 6.0-23: $ for f in *.jar; do echo $f; unzip -tq $f; done asm-5.0.3-sources.jar No errors detected in compressed data of asm-5.0.3-sources.jar. asm-analysis-5.0.3-sources.jar No errors detected in compressed data of

Bug#931895: unzip: zip bomb false positives in Java ecosystem

2019-07-11 Thread Ben Caradoc-Davies
Package: unzip Version: 6.0-24 Severity: normal Dear Maintainer, zip bomb detection introduced in 6.0-24 (see #931433 and CVE-2019-13232) causes unzip to reject many jar files distributed in the Java ecosystem. Workaround is to