Hello. I applied your fix for the zip bomb issue to the Debian unzip package and shortly afterwards I received this bug report from one of our users (Ben Caradoc-Davies, in the Cc).
(Note: Our BTS is email-based, but I could also put an issue on github if you prefer). The full report is available here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931895 Thanks. ----- Forwarded message from Ben Caradoc-Davies <b...@transient.nz> ----- Date: Fri, 12 Jul 2019 11:52:14 +1200 From: Ben Caradoc-Davies <b...@transient.nz> To: Debian Bug Tracking System <sub...@bugs.debian.org> Subject: Bug#931895: unzip: zip bomb false positives in Java ecosystem X-Mailer: reportbug 7.5.2 Package: unzip Version: 6.0-24 Severity: normal Dear Maintainer, zip bomb detection introduced in 6.0-24 (see #931433 <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931433> and CVE-2019-13232) causes unzip to reject many jar files distributed in the Java ecosystem. Workaround is to downgrade to unzip 6.0-23. Examples: $ find .gradle .m2 java -name "*.jar" -type f -size +0c -print -exec unzip -tq {} \; 2>&1 | grep -B1 invalid .gradle/wrapper/dists/gradle-5.2.1-bin/9lc4nzslqh3ep7ml2tp68fk8s/gradle-5.2.1/lib/groovy- all-1.0-2.5.4.jar error: invalid zip file with overlapped components (possible zip bomb) -- .gradle/wrapper/dists/gradle-5.4.1-bin/e75iq110yv9r9wt1a6619x2xm/gradle-5.4.1/lib/gradle- kotlin-dsl-5.4.1.jar error: invalid zip file with overlapped components (possible zip bomb) -- .gradle/wrapper/dists/gradle-5.4.1-bin/e75iq110yv9r9wt1a6619x2xm/gradle-5.4.1/lib/plugins/gradle- kotlin-dsl-tooling-builders-5.4.1.jar error: invalid zip file with overlapped components (possible zip bomb) -- .gradle/wrapper/dists/gradle-5.4.1-bin/e75iq110yv9r9wt1a6619x2xm/gradle-5.4.1/lib/plugins/gradle- kotlin-dsl-provider-plugins-5.4.1.jar error: invalid zip file with overlapped components (possible zip bomb) -- .gradle/wrapper/dists/gradle-5.4.1-bin/e75iq110yv9r9wt1a6619x2xm/gradle-5.4.1/lib/groovy- all-1.0-2.5.4.jar error: invalid zip file with overlapped components (possible zip bomb) -- .m2/repository/org/ow2/asm/asm-tree/5.0.3/asm-tree-5.0.3-sources.jar error: invalid zip file with overlapped components (possible zip bomb) -- .m2/repository/org/ow2/asm/asm-util/5.0.3/asm-util-5.0.3-sources.jar error: invalid zip file with overlapped components (possible zip bomb) -- .m2/repository/org/ow2/asm/asm/5.0.3/asm-5.0.3-sources.jar error: invalid zip file with overlapped components (possible zip bomb) -- .m2/repository/org/ow2/asm/asm-analysis/5.0.3/asm-analysis-5.0.3-sources.jar error: invalid zip file with overlapped components (possible zip bomb) -- .m2/repository/org/springframework/spring-orm/4.2.5.RELEASE/spring- orm-4.2.5.RELEASE-sources.jar error: invalid zip file with overlapped components (possible zip bomb) -- .m2/repository/org/springframework/spring-orm/4.3.7.RELEASE/spring- orm-4.3.7.RELEASE-sources.jar error: invalid zip file with overlapped components (possible zip bomb) -- .m2/repository/org/springframework/spring-beans/4.3.16.RELEASE/spring- beans-4.3.16.RELEASE-sources.jar error: invalid zip file with overlapped components (possible zip bomb) -- .m2/repository/org/springframework/spring-beans/4.2.5.RELEASE/spring- beans-4.2.5.RELEASE-sources.jar error: invalid zip file with overlapped components (possible zip bomb) -- .m2/repository/org/springframework/spring-beans/4.3.18.RELEASE/spring- beans-4.3.18.RELEASE-sources.jar error: invalid zip file with overlapped components (possible zip bomb) -- .m2/repository/org/springframework/spring-beans/4.3.7.RELEASE/spring- beans-4.3.7.RELEASE-sources.jar error: invalid zip file with overlapped components (possible zip bomb) -- java/gradle-5.5.1/lib/plugins/gradle-kotlin-dsl-tooling-builders-5.5.1.jar error: invalid zip file with overlapped components (possible zip bomb) -- java/gradle-5.5.1/lib/plugins/gradle-kotlin-dsl-provider-plugins-5.5.1.jar error: invalid zip file with overlapped components (possible zip bomb) -- java/gradle-5.5.1/lib/gradle-kotlin-dsl-5.5.1.jar error: invalid zip file with overlapped components (possible zip bomb) java/gradle-5.5.1/lib/groovy-all-1.0-2.5.4.jar error: invalid zip file with overlapped components (possible zip bomb) Kind regards, Ben. -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-5-amd64 (SMP w/8 CPU cores) Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages unzip depends on: ii libbz2-1.0 1.0.6-9.2 ii libc6 2.28-10 unzip recommends no packages. Versions of packages unzip suggests: ii zip 3.0-11+b1 -- no debconf information ----- End forwarded message -----
