Ben, Ah, no, I did not test the jar files. I just did, and indeed I am seeing the reported zip bomb detections.
Thanks. I’ll look into it. Mark > On Jul 12, 2019, at 3:22 PM, Ben Caradoc-Davies <b...@transient.nz> wrote: > > On 13/07/2019 04:32, Adler, Mark wrote: >> I downloaded the four false-positive zip files from the bugreport page, and >> none of them showed a zip bomb error (or any other error). > > Mark, > > the zip bomb error is seen when unzipping the 17 jar files contained within > the four zip files. Did you test these inner jar files? I used (in bash): > > $ for f in *.jar; do echo $f; unzip -tq $f; done > > The outer zip files are there because many email filters block all email with > jar attachments, and Debian BTS is email-based. > > It would also be nice if unzip reported the filename when rejecting a > suspected zip bomb, as it does when reporting "No errors detected". > > Kind regards, > > -- > Ben Caradoc-Davies <b...@transient.nz> > Director > Transient Software Limited <https://transient.nz/> > New Zealand
