See https://www.bamsoftware.com/hacks/zipbomb/ By using overlapping segments one can create an excessive resource usage in zip unpackers. Please note it's debatable if this is actually to be considered a security issue, but it has a CVE (see discussion in the link). Though debian has decided they'll patch it (though it introduced a regression that they fixed in -25, see https://metadata.ftp-master.debian.org/changelogs//main/u/unzip/unzip_6.0-25_changelog ). As Gentoo's unzip package follows Debian's I recommend updating our debian revision to -25. This would also fix other yet unfixed bugs and the vulnerability in bug #647008.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fbf679e99554488d9d20c3cecaf4063733f70e6f commit fbf679e99554488d9d20c3cecaf4063733f70e6f Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2019-08-10 15:46:38 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2019-08-10 17:07:29 +0000 app-arch/unzip: bump to Debian patchset 25 Bug: https://bugs.gentoo.org/647008 Bug: https://bugs.gentoo.org/691566 Signed-off-by: Aaron Bauman <bman@gentoo.org> Closes: https://github.com/gentoo/gentoo/pull/12670 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> app-arch/unzip/Manifest | 1 + app-arch/unzip/unzip-6.0_p25.ebuild | 86 +++++++++++++++++++++++++++++++++++++ 2 files changed, 87 insertions(+)
@base-system, please call for stable when ready.
amd64 stable
arm stable
arm64 stable
s390 stable
alpha stable
hppa stable
sparc stable
ppc64 stable
ia64 stable
Looking good on ppc. Tests fail like on other 32-bit arches (bug #698694). # cat unzip-691566.report USE tests started on Di 21. Jan 01:08:56 CET 2020 FEATURES=' test' failed for =app-arch/unzip-6.0_p25 USE='-bzip2 -natspec -unicode' succeeded for =app-arch/unzip-6.0_p25 USE='bzip2 -natspec -unicode' succeeded for =app-arch/unzip-6.0_p25 USE='-bzip2 natspec -unicode' succeeded for =app-arch/unzip-6.0_p25 USE='bzip2 natspec -unicode' succeeded for =app-arch/unzip-6.0_p25 USE='-bzip2 -natspec unicode' succeeded for =app-arch/unzip-6.0_p25 USE='bzip2 -natspec unicode' succeeded for =app-arch/unzip-6.0_p25 USE='-bzip2 natspec unicode' succeeded for =app-arch/unzip-6.0_p25 USE='bzip2 natspec unicode' succeeded for =app-arch/unzip-6.0_p25 revdep tests started on Di 21. Jan 01:28:32 CET 2020 FEATURES=' test' USE='web' succeeded for net-analyzer/nagios-core FEATURES=' test' USE='' succeeded for app-admin/analog FEATURES=' test' USE='-minimal' succeeded for app-misc/unfoo FEATURES=' test' USE='' succeeded for www-misc/htdig FEATURES=' test' USE='' succeeded for app-vim/rainbow_parentheses FEATURES=' test' USE='' succeeded for app-vim/perlomni
ppc stable thanks to ernsteiswuerfel!
SuperH port disbanded.
Added to an existing GLSA request.
This issue was resolved and addressed in GLSA 202003-58 at https://security.gentoo.org/glsa/202003-58 by GLSA coordinator Thomas Deutschmann (whissi).
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3c37adbe2dbe3a23b257d6cb157e88b303c54854 commit 3c37adbe2dbe3a23b257d6cb157e88b303c54854 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-03-26 18:23:28 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-03-26 18:24:51 +0000 app-arch/unzip: security cleanup (bug #691566) Bug: https://bugs.gentoo.org/691566 Package-Manager: Portage-2.3.96, Repoman-2.3.22 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> app-arch/unzip/Manifest | 1 - app-arch/unzip/unzip-6.0_p21-r2.ebuild | 86 ---------------------------------- 2 files changed, 87 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=af08bf9e16e9a2e3e1e6a14d31c70260835882a9 commit af08bf9e16e9a2e3e1e6a14d31c70260835882a9 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-03-26 18:22:34 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-03-26 18:24:30 +0000 app-arch/unzip: mark x86 & m68k stable (bug #691566) Bug: https://bugs.gentoo.org/691566 Package-Manager: Portage-2.3.96, Repoman-2.3.22 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> app-arch/unzip/unzip-6.0_p25-r1.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)