Name | CVE-2019-13232 |
Description | Info-ZIP UnZip 6.0 mishandles the overlapping of files inside a ZIP container, leading to denial of service (resource consumption), aka a "better zip bomb" issue. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
References | DLA-1846-1 |
Debian Bugs | 931433 |
Vulnerable and fixed packages
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|
unzip (PTS) | bullseye (security), bullseye | 6.0-26+deb11u1 | fixed |
| bookworm, sid, trixie | 6.0-28 | fixed |
The information below is based on the following data on fixed versions.
Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
---|
unzip | source | jessie | 6.0-16+deb8u4 | | DLA-1846-1 | |
unzip | source | stretch | 6.0-21+deb9u2 | | | |
unzip | source | buster | 6.0-23+deb10u1 | | | |
unzip | source | (unstable) | 6.0-24 | unimportant | | 931433 |
Notes
https://www.bamsoftware.com/hacks/zipbomb/
Fixed by: https://github.com/madler/unzip/commit/47b3ceae397d21bf822bc2ac73052a4b1daf8e1c
Fix depends on: https://github.com/madler/unzip/commit/41beb477c5744bc396fa1162ee0c14218ec12213
Further commit needed: https://github.com/madler/unzip/commit/6d351831be705cc26d897db44f878a978f4138fc
No security impact, crash in CLI tool, any server implementing automatic extraction needs
to apply resource limits anyway
https://www.openwall.com/lists/oss-security/2019/08/06/3