CVE-2019-13232

NameCVE-2019-13232
DescriptionInfo-ZIP UnZip 6.0 mishandles the overlapping of files inside a ZIP container, leading to denial of service (resource consumption), aka a "better zip bomb" issue.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1846-1
NVD severitymedium
Debian Bugs931433

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
unzip (PTS)jessie6.0-16+deb8u3vulnerable
jessie (security)6.0-16+deb8u5fixed
stretch6.0-21+deb9u2fixed
buster6.0-23+deb10u1fixed
bullseye, sid6.0-25fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
unzipsource(unstable)6.0-24unimportant931433
unzipsourcebuster6.0-23+deb10u1
unzipsourcejessie6.0-16+deb8u4DLA-1846-1
unzipsourcestretch6.0-21+deb9u2

Notes

https://www.bamsoftware.com/hacks/zipbomb/
Fixed by: https://github.com/madler/unzip/commit/47b3ceae397d21bf822bc2ac73052a4b1daf8e1c
Fix depends on: https://github.com/madler/unzip/commit/41beb477c5744bc396fa1162ee0c14218ec12213
Further commit needed: https://github.com/madler/unzip/commit/6d351831be705cc26d897db44f878a978f4138fc
No security impact, crash in CLI tool, any server implementing automatic extraction needs
to apply resource limits anyway
https://www.openwall.com/lists/oss-security/2019/08/06/3

Search for package or bug name: Reporting problems