691566 – (CVE-2019-13232) <app-arch/unzip-6.0_p25: DoS via ZIP bomb

Bug 691566 (CVE-2019-13232) - <app-arch/unzip-6.0_p25: DoS via ZIP bomb

Summary: <app-arch/unzip-6.0_p25: DoS via ZIP bomb

Status:	RESOLVED FIXED

Alias:	CVE-2019-13232

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [glsa+ cve glsa+]
Keywords:	STABLEREQ

Depends on:	698694
Blocks:	CVE-2018-1000035
	Show dependency tree

Reported:	2019-08-06 13:49 UTC by Hanno Böck
Modified:	2020-03-28 22:21 UTC (History)
CC List:	1 user (show)

See Also:
Package list:	app-arch/unzip-6.0_p25
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Hanno Böck gentoo-dev

2019-08-06 13:49:07 UTC

See
https://www.bamsoftware.com/hacks/zipbomb/

By using overlapping segments one can create an excessive resource usage in zip unpackers. Please note it's debatable if this is actually to be considered a security issue, but it has a CVE (see discussion in the link). Though debian has decided they'll patch it (though it introduced a regression that they fixed in -25, see https://metadata.ftp-master.debian.org/changelogs//main/u/unzip/unzip_6.0-25_changelog ).

As Gentoo's unzip package follows Debian's I recommend updating our debian revision to -25. This would also fix other yet unfixed bugs and the vulnerability in bug #647008.

Comment 1 Larry the Git Cow gentoo-dev

2019-08-10 17:12:31 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fbf679e99554488d9d20c3cecaf4063733f70e6f

commit fbf679e99554488d9d20c3cecaf4063733f70e6f
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2019-08-10 15:46:38 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-08-10 17:07:29 +0000

    app-arch/unzip: bump to Debian patchset 25
    
    Bug: https://bugs.gentoo.org/647008
    Bug: https://bugs.gentoo.org/691566
    
    Signed-off-by: Aaron Bauman <bman@gentoo.org>
    Closes: https://github.com/gentoo/gentoo/pull/12670
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 app-arch/unzip/Manifest             |  1 +
 app-arch/unzip/unzip-6.0_p25.ebuild | 86 +++++++++++++++++++++++++++++++++++++
 2 files changed, 87 insertions(+)

Comment 2 Aaron Bauman (RETIRED) gentoo-dev

2019-08-10 17:17:29 UTC

@base-system, please call for stable when ready.

Comment 3 Agostino Sarubbo gentoo-dev

2019-10-28 07:42:01 UTC

amd64 stable

Comment 4 Mikle Kolyada (RETIRED) archtester

2019-11-01 10:12:10 UTC

arm stable

Comment 5 Aaron Bauman (RETIRED) gentoo-dev

2019-11-06 23:31:25 UTC

arm64 stable

Comment 6 Mikle Kolyada (RETIRED) archtester

2019-11-08 08:34:18 UTC

s390 stable

Comment 7 Matt Turner gentoo-dev

2019-11-09 22:56:37 UTC

alpha stable

Comment 8 Rolf Eike Beer archtester

2019-11-10 21:58:42 UTC

hppa stable

Comment 9 Rolf Eike Beer archtester

2019-11-11 19:53:59 UTC

sparc stable

Comment 10 Sergei Trofimovich (RETIRED) gentoo-dev

2019-12-01 14:11:00 UTC

ppc64 stable

Comment 11 Sergei Trofimovich (RETIRED) gentoo-dev

2020-01-18 11:33:05 UTC

ia64 stable

Comment 12 ernsteiswuerfel archtester

2020-01-21 01:06:12 UTC

Looking good on ppc.

Tests fail like on other 32-bit arches (bug #698694).

# cat unzip-691566.report 
USE tests started on Di 21. Jan 01:08:56 CET 2020

 FEATURES=' test' failed for =app-arch/unzip-6.0_p25
USE='-bzip2 -natspec -unicode' succeeded for =app-arch/unzip-6.0_p25
USE='bzip2 -natspec -unicode' succeeded for =app-arch/unzip-6.0_p25
USE='-bzip2 natspec -unicode' succeeded for =app-arch/unzip-6.0_p25
USE='bzip2 natspec -unicode' succeeded for =app-arch/unzip-6.0_p25
USE='-bzip2 -natspec unicode' succeeded for =app-arch/unzip-6.0_p25
USE='bzip2 -natspec unicode' succeeded for =app-arch/unzip-6.0_p25
USE='-bzip2 natspec unicode' succeeded for =app-arch/unzip-6.0_p25
USE='bzip2 natspec unicode' succeeded for =app-arch/unzip-6.0_p25

revdep tests started on Di 21. Jan 01:28:32 CET 2020

FEATURES=' test' USE='web' succeeded for net-analyzer/nagios-core
FEATURES=' test' USE='' succeeded for app-admin/analog
FEATURES=' test' USE='-minimal' succeeded for app-misc/unfoo
FEATURES=' test' USE='' succeeded for www-misc/htdig
FEATURES=' test' USE='' succeeded for app-vim/rainbow_parentheses
FEATURES=' test' USE='' succeeded for app-vim/perlomni

Comment 13 Sergei Trofimovich (RETIRED) gentoo-dev

2020-02-08 11:28:31 UTC

ppc stable thanks to ernsteiswuerfel!

Comment 14 Mikle Kolyada (RETIRED) archtester

2020-03-26 14:07:35 UTC

SuperH port disbanded.

Comment 15 Thomas Deutschmann (RETIRED) gentoo-dev

2020-03-26 18:13:06 UTC

Added to an existing GLSA request.

Comment 16 GLSAMaker/CVETool Bot gentoo-dev

2020-03-26 18:20:57 UTC

This issue was resolved and addressed in
 GLSA 202003-58 at https://security.gentoo.org/glsa/202003-58
by GLSA coordinator Thomas Deutschmann (whissi).

Comment 17 Larry the Git Cow gentoo-dev

2020-03-26 18:25:06 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3c37adbe2dbe3a23b257d6cb157e88b303c54854

commit 3c37adbe2dbe3a23b257d6cb157e88b303c54854
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-03-26 18:23:28 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-03-26 18:24:51 +0000

    app-arch/unzip: security cleanup (bug #691566)
    
    Bug: https://bugs.gentoo.org/691566
    Package-Manager: Portage-2.3.96, Repoman-2.3.22
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 app-arch/unzip/Manifest                |  1 -
 app-arch/unzip/unzip-6.0_p21-r2.ebuild | 86 ----------------------------------
 2 files changed, 87 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=af08bf9e16e9a2e3e1e6a14d31c70260835882a9

commit af08bf9e16e9a2e3e1e6a14d31c70260835882a9
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-03-26 18:22:34 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-03-26 18:24:30 +0000

    app-arch/unzip: mark x86 & m68k stable (bug #691566)
    
    Bug: https://bugs.gentoo.org/691566
    Package-Manager: Portage-2.3.96, Repoman-2.3.22
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 app-arch/unzip/unzip-6.0_p25-r1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)