[SECURITY] [DLA 1846-1] unzip security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 1846-1] unzip security update
From: Markus Koschany <apo@debian.org>
Date: Sun, 7 Jul 2019 22:09:22 +0200
Message-id: <[🔎] 2ca0bdb8-4a72-083c-0f5a-14e00dcbae42@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : unzip
Version        : 6.0-16+deb8u4
CVE ID         : CVE-2019-13232
Debian Bug     : 931433

David Fifield discovered a way to construct non-recursive "zip bombs"
that achieve a high compression ratio by overlapping files inside the
zip container. However the output size increases quadratically in the
input size, reaching a compression ratio of over 28 million
(10 MB -> 281 TB) at the limits of the zip format which can cause a
denial-of-service. Mark Adler provided a patch to detect and reject
such zip files for the unzip program.

For Debian 8 "Jessie", this problem has been fixed in version
6.0-16+deb8u4.

We recommend that you upgrade your unzip packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl0iUXFfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeSNmg//aYlnFC/oldyGW2Y3fDNrE+BDvUVsa692Y2H6g1AIqzHCtMBlRd4ZHU7A
80ebCNDQOuZSrG5MhadlxfpKhMbLzlwYjxEGbl/q7b6wKmj6Zs0JoRkR+gkTuyiv
ivHSe9wBmsWK0dXjw++8agoK2XPBDSVfCMEsFhpOM07dsE0gEU0p5Z3Dziefqfi8
HE3xotd3pp8SzM+0nBiOpVyC6ZdvIlrw5LuF+aTADBclAmuDna6JJnyz1D72auHT
il9kjbqoSCD0mL/iDYXvRuGanRNAN7UIc+rrCWNn/DsYpX7A+o+cncvLK2lKxmZP
1EuQIwh1U6lfiBd4ipvFkGdt4pzHnBsdQc4Z3oFEbEqLqhNZpzzFcIuc4KIxRHkt
KQGjEzQ4desb/MdtD05RmmmHZu3axpuZIyKzrc2t8XIR69KQpDOufHOYfVWc0Iok
ZloyyVmTDOxOoP/TIk5UNXPhHJ0G6MwRxIMKdj2x5g9kswlBAa/67KFqrt9FZ3Ng
MqQH1/fLgGsUJhUyANJHApb6+OoxsNg03MeP59BosXr79X9BbNaTOIh9TdCjklRH
yJzUjg9A6B/b0wiIEMrUvf5IsXCJo1jIiss0a3gCcGPZWdJQGNDKm553PE9EjjzP
zOtJOHCjKbhOwVIHkb3sUTPAc+mTMoiJa/YhbeKl/cW+0jXizmQ=
=197w
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 1845-1] dosbox security update
Next by Date: [SECURITY] [DLA 1847-1] squid3 security update
Previous by thread: [SECURITY] [DLA 1845-1] dosbox security update
Next by thread: [SECURITY] [DLA 1847-1] squid3 security update
Index(es):
- Date
- Thread