Santiago, Thank you for the report.
I downloaded the four false-positive zip files from the bugreport page, and none of them showed a zip bomb error (or any other error). How exactly did you apply the fix? Did you download the complete source from github? Or did you try to selectively apply a commit? Mark > On Jul 12, 2019, at 12:41 AM, Santiago Vila <sanv...@unex.es> wrote: > > Hello. > > I applied your fix for the zip bomb issue to the Debian unzip package > and shortly afterwards I received this bug report from one of our users > (Ben Caradoc-Davies, in the Cc). > > (Note: Our BTS is email-based, but I could also put an issue on github > if you prefer). > > The full report is available here: > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931895 > > Thanks. > > ----- Forwarded message from Ben Caradoc-Davies <b...@transient.nz> ----- > > Date: Fri, 12 Jul 2019 11:52:14 +1200 > From: Ben Caradoc-Davies <b...@transient.nz> > To: Debian Bug Tracking System <sub...@bugs.debian.org> > Subject: Bug#931895: unzip: zip bomb false positives in Java ecosystem > X-Mailer: reportbug 7.5.2 > > Package: unzip > Version: 6.0-24 > Severity: normal > > Dear Maintainer, > > zip bomb detection introduced in 6.0-24 (see #931433 > <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931433> and CVE-2019-13232) > causes unzip to reject many jar files distributed in the Java ecosystem. > > Workaround is to downgrade to unzip 6.0-23. > > Examples: > > $ find .gradle .m2 java -name "*.jar" -type f -size +0c -print -exec unzip -tq > {} \; 2>&1 | grep -B1 invalid > .gradle/wrapper/dists/gradle-5.2.1-bin/9lc4nzslqh3ep7ml2tp68fk8s/gradle-5.2.1/lib/groovy- > all-1.0-2.5.4.jar > error: invalid zip file with overlapped components (possible zip bomb) > -- > .gradle/wrapper/dists/gradle-5.4.1-bin/e75iq110yv9r9wt1a6619x2xm/gradle-5.4.1/lib/gradle- > kotlin-dsl-5.4.1.jar > error: invalid zip file with overlapped components (possible zip bomb) > -- > .gradle/wrapper/dists/gradle-5.4.1-bin/e75iq110yv9r9wt1a6619x2xm/gradle-5.4.1/lib/plugins/gradle- > kotlin-dsl-tooling-builders-5.4.1.jar > error: invalid zip file with overlapped components (possible zip bomb) > -- > .gradle/wrapper/dists/gradle-5.4.1-bin/e75iq110yv9r9wt1a6619x2xm/gradle-5.4.1/lib/plugins/gradle- > kotlin-dsl-provider-plugins-5.4.1.jar > error: invalid zip file with overlapped components (possible zip bomb) > -- > .gradle/wrapper/dists/gradle-5.4.1-bin/e75iq110yv9r9wt1a6619x2xm/gradle-5.4.1/lib/groovy- > all-1.0-2.5.4.jar > error: invalid zip file with overlapped components (possible zip bomb) > -- > .m2/repository/org/ow2/asm/asm-tree/5.0.3/asm-tree-5.0.3-sources.jar > error: invalid zip file with overlapped components (possible zip bomb) > -- > .m2/repository/org/ow2/asm/asm-util/5.0.3/asm-util-5.0.3-sources.jar > error: invalid zip file with overlapped components (possible zip bomb) > -- > .m2/repository/org/ow2/asm/asm/5.0.3/asm-5.0.3-sources.jar > error: invalid zip file with overlapped components (possible zip bomb) > -- > .m2/repository/org/ow2/asm/asm-analysis/5.0.3/asm-analysis-5.0.3-sources.jar > error: invalid zip file with overlapped components (possible zip bomb) > -- > .m2/repository/org/springframework/spring-orm/4.2.5.RELEASE/spring- > orm-4.2.5.RELEASE-sources.jar > error: invalid zip file with overlapped components (possible zip bomb) > -- > .m2/repository/org/springframework/spring-orm/4.3.7.RELEASE/spring- > orm-4.3.7.RELEASE-sources.jar > error: invalid zip file with overlapped components (possible zip bomb) > -- > .m2/repository/org/springframework/spring-beans/4.3.16.RELEASE/spring- > beans-4.3.16.RELEASE-sources.jar > error: invalid zip file with overlapped components (possible zip bomb) > -- > .m2/repository/org/springframework/spring-beans/4.2.5.RELEASE/spring- > beans-4.2.5.RELEASE-sources.jar > error: invalid zip file with overlapped components (possible zip bomb) > -- > .m2/repository/org/springframework/spring-beans/4.3.18.RELEASE/spring- > beans-4.3.18.RELEASE-sources.jar > error: invalid zip file with overlapped components (possible zip bomb) > -- > .m2/repository/org/springframework/spring-beans/4.3.7.RELEASE/spring- > beans-4.3.7.RELEASE-sources.jar > error: invalid zip file with overlapped components (possible zip bomb) > -- > java/gradle-5.5.1/lib/plugins/gradle-kotlin-dsl-tooling-builders-5.5.1.jar > error: invalid zip file with overlapped components (possible zip bomb) > -- > java/gradle-5.5.1/lib/plugins/gradle-kotlin-dsl-provider-plugins-5.5.1.jar > error: invalid zip file with overlapped components (possible zip bomb) > -- > java/gradle-5.5.1/lib/gradle-kotlin-dsl-5.5.1.jar > error: invalid zip file with overlapped components (possible zip bomb) > java/gradle-5.5.1/lib/groovy-all-1.0-2.5.4.jar > error: invalid zip file with overlapped components (possible zip bomb) > > Kind regards, > Ben. > > > > -- System Information: > Debian Release: bullseye/sid > APT prefers unstable > APT policy: (500, 'unstable') > Architecture: amd64 (x86_64) > > Kernel: Linux 4.19.0-5-amd64 (SMP w/8 CPU cores) > Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8), > LANGUAGE=en_GB:en (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > Init: systemd (via /run/systemd/system) > > Versions of packages unzip depends on: > ii libbz2-1.0 1.0.6-9.2 > ii libc6 2.28-10 > > unzip recommends no packages. > > Versions of packages unzip suggests: > ii zip 3.0-11+b1 > > -- no debconf information > > ----- End forwarded message -----
