Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-6286

unzip detects zipbomb when file is generated by Java zip library

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Normal Normal
    • rhel-10.0
    • rhel-10.0
    • unzip
    • unzip-6.0-67.el10
    • None
    • Moderate
    • rhel-plumbers
    • ssg_core_services
    • 20
    • 2
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • ---
    • None
    • 57,005

      It would be great to backport https://github.com/madler/unzip/commit/af0d07f95809653b669d88aa0f424c6d5aa48ba0

      > Previously the zip64 flag determined the size of the lengths in the
      > data descriptor. This is compliant with the zip format. However, a
      > bug in the Java zip library results in an incorrect setting of that
      > flag. This commit permits either 32-bit or 64-bit lengths, auto-
      > detecting which it is, which works around the Java bug.

      In our environment, we have hundreds of such ZIP files…

              jamartis@redhat.com Jakub Martisko
              igorraits_gmail igor.raits@gmail.com (Inactive)
              Jakub Martisko Jakub Martisko
              Radka Brychtova Radka Brychtova
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: