On Fri, Jul 26, 2019 at 04:01:15AM +0000, Adler, Mark wrote: > All, > > Thank you Santiago for the report and David for the diagnosis. Though this is > not a valid zip file, there are in fact no overlapping structures and so > there should not be a bomb alert. > > I have added a commit that initializes the cover with the actual spans of the > central directory, the Zip64 end of central directory record if present, and > the end of central directory record (the latter of which may include the > Zip64 end of central directory locator). unzip then processes the funky > omni.ja file without a bomb alert. > > See: > > > https://github.com/madler/unzip/commit/6d351831be705cc26d897db44f878a978f4138fc
I've just uploaded the fix for Debian unstable. Thanks a lot!
