Your message dated Mon, 12 Aug 2019 19:17:26 +0000
with message-id <[email protected]>
and subject line Bug#931433: fixed in unzip 6.0-23+deb10u1
has caused the Debian Bug report #931433,
regarding unzip: CVE-2019-13232
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
931433: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931433
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: unzip
Version: 6.0-23
Severity: important
Tags: security upstream
Control: found -1 6.0-21+deb9u1
Control: found -1 6.0-21
Hi,
The following vulnerability was published for unzip.
CVE-2019-13232[0]:
| Info-ZIP UnZip 6.0 mishandles the overlapping of files inside a ZIP
| container, leading to denial of service (resource consumption), aka a
| "better zip bomb" issue.
There seem to be a fork onf Info-Zip UnZip, trying to address this
issue, but not sure if we should follow that.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-13232
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13232
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: unzip
Source-Version: 6.0-23+deb10u1
We believe that the bug you reported is fixed in the latest version of
unzip, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Santiago Vila <[email protected]> (supplier of updated unzip package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 30 Jul 2019 22:26:10 +0200
Source: unzip
Architecture: source
Version: 6.0-23+deb10u1
Distribution: buster
Urgency: medium
Maintainer: Santiago Vila <[email protected]>
Changed-By: Santiago Vila <[email protected]>
Closes: 931433 932404
Changes:
unzip (6.0-23+deb10u1) buster; urgency=medium
.
* Apply three patches by Mark Adler to fix CVE-2019-13232.
- Fix bug in undefer_input() that misplaced the input state.
- Detect and reject a zip bomb using overlapped entries.
Bug discovered by David Fifield. Closes: #931433.
- Do not raise a zip bomb alert for a misplaced central directory.
Reported by Peter Green. Closes: #932404.
Checksums-Sha1:
1b64103d9363928aac0e9443f360888cfdc5d60a 1376 unzip_6.0-23+deb10u1.dsc
abf7de8a4018a983590ed6f5cbd990d4740f8a22 1376845 unzip_6.0.orig.tar.gz
ffe1aa5355911b77752307dfed4d552a44d7f98d 23012
unzip_6.0-23+deb10u1.debian.tar.xz
3adb8cb564ba981123ac73941cc4127f6542b5a4 4791
unzip_6.0-23+deb10u1_source.buildinfo
Checksums-Sha256:
17c827fcb399d9e82bd08a7574838d95b10a335294edad6f604175dc1e7e8859 1376
unzip_6.0-23+deb10u1.dsc
036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37 1376845
unzip_6.0.orig.tar.gz
f64e87c377aea1139e2d2d6cc0ea8edb089951d28089e1e5de567a6cb715d384 23012
unzip_6.0-23+deb10u1.debian.tar.xz
67bdc5d3984bb3fcd1e743e587cecfaa128ecf26e50e2d4b1a2c0efc8f1de92e 4791
unzip_6.0-23+deb10u1_source.buildinfo
Files:
a63736b55b81b9f734f9b4367b11e5ce 1376 utils optional unzip_6.0-23+deb10u1.dsc
62b490407489521db863b523a7f86375 1376845 utils optional unzip_6.0.orig.tar.gz
355a854f70f94222c880d7061067ef77 23012 utils optional
unzip_6.0-23+deb10u1.debian.tar.xz
cdbf29fa67decf08fa7fb33c168066b5 4791 utils optional
unzip_6.0-23+deb10u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEE1Uw7+v+wQt44LaXXQc5/C58bizIFAl1AqHkACgkQQc5/C58b
izIZ6Qf9Fl5OztWTK0+kwSnyjL+tQeC2EjMRgYUT3H3jO+fYkdvP4qNETgqQR+sp
LFX00xx+vAMdGS6u1QnInljykjANG5dlvEoCylYeYTfvYb9YDZm/eq5bR2H3+O0F
362tmUGBrswW+os6ADxthbRIYSJVGET6Te4w0Ylbn8BDOJ1vfh7iLCZ5XuHih4eW
U9jDmqvn5Cqr1dWm3Pu50JUVYP+mT3FU/4KUCqKL02D3lD5IYGwy3+xQJf2WZy71
ybRQ48XlKFHZK6cjQM4M3SCLM5SfwZoOOjBv/lO+9rLIs4vnA89c/Y+dlpwJJA62
cpeogD3jzmlTPLOHOn8kTvb1nVjsiQ==
=c/LE
-----END PGP SIGNATURE-----
--- End Message ---
