On Jul 12, 2019, at 9:43 AM, Santiago Vila <sanv...@unex.es> wrote: > I applied the commits I believed to be the fix for the zipbomb issue, i.e. > these two: > > commit 41beb477c5744bc396fa1162ee0c14218ec12213 > Fix bug in undefer_input() that misplaced the input state. > commit 47b3ceae397d21bf822bc2ac73052a4b1daf8e1c > Detect and reject a zip bomb using overlapped entries. > > (The Debian version in turn had already a bunch of other changes to > fix other CVE issues and other misc fixes, I hope there are not > incompatibilities).
Well, apparently there is an incompatibility. I can make no promises about applying those commits to an unzip source of unknown provenance. Where do I find this source?