On 18/07/2019 03:05, Santiago Vila wrote:
According to Mark Adler, those jar files are buggy:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931895#73
Mark, thanks very much for your detailed analysis.
Simple question: Do those jar files come from any package that we
(Debian) distribute? If yes, I'd like to reassign the bug. If not, I
guess closing the bug as "not really a bug" is the only sensible thing to do.
Santiago,
none of these jar files come from Debian. They are sourced from Maven
Central, Gradle repositories, and the official Gradle binary distribution.
I checked all the jar files included in Debian gradle 4.4.1-7,
libgradle-core-java 4.4.1-7, and libgradle-plugins-java 4.4.1-7, with
unzip 6.0-24 (zip bomb detection included) and no errors were detected.
This bug may be of interest to the Debian gradle maintainers if they
think any future upstream fix is suitable for backport, but if not, this
bug should be closed as it does not seem to affect the version of Gradle
in Debian sid (4.4.1-7). Please reassign or close as you see fit.
Given that the affected jars are all built with Gradle, and that the
current stable Gradle release (5.5.1) includes several affected jars
themselves built with Gradle, the problem is likely in Gradle, or the
JDK itself. In any case, the Gradle project are best positioned to
investigate.
I have forwarded this bug upstream to the Gradle project:
Gradle jars "grossly invalid zip files" that trigger zip bomb detection
[CVE-2019-13232]
https://github.com/gradle/gradle/issues/9990
Kind regards,
--
Ben Caradoc-Davies <b...@transient.nz>
Director
Transient Software Limited <https://transient.nz/>
New Zealand
