Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.2478.2
[SECURITY] [DLA 1846-1] unzip security update
29 July 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: unzip
Publisher: Debian
Operating System: Debian GNU/Linux 8
Linux variants
Impact/Access: Denial of Service -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2019-13232
Original Bulletin:
https://lists.debian.org/debian-lts-announce/2019/07/msg00005.html
Revision History: July 29 2019: Update released to fix regression
July 8 2019: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Package : unzip
Version : 6.0-16+deb8u4
CVE ID : CVE-2019-13232
Debian Bug : 931433
David Fifield discovered a way to construct non-recursive "zip bombs"
that achieve a high compression ratio by overlapping files inside the
zip container. However the output size increases quadratically in the
input size, reaching a compression ratio of over 28 million
(10 MB -> 281 TB) at the limits of the zip format which can cause a
denial-of-service. Mark Adler provided a patch to detect and reject
such zip files for the unzip program.
For Debian 8 "Jessie", this problem has been fixed in version
6.0-16+deb8u4.
We recommend that you upgrade your unzip packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl0iUXFfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeSNmg//aYlnFC/oldyGW2Y3fDNrE+BDvUVsa692Y2H6g1AIqzHCtMBlRd4ZHU7A
80ebCNDQOuZSrG5MhadlxfpKhMbLzlwYjxEGbl/q7b6wKmj6Zs0JoRkR+gkTuyiv
ivHSe9wBmsWK0dXjw++8agoK2XPBDSVfCMEsFhpOM07dsE0gEU0p5Z3Dziefqfi8
HE3xotd3pp8SzM+0nBiOpVyC6ZdvIlrw5LuF+aTADBclAmuDna6JJnyz1D72auHT
il9kjbqoSCD0mL/iDYXvRuGanRNAN7UIc+rrCWNn/DsYpX7A+o+cncvLK2lKxmZP
1EuQIwh1U6lfiBd4ipvFkGdt4pzHnBsdQc4Z3oFEbEqLqhNZpzzFcIuc4KIxRHkt
KQGjEzQ4desb/MdtD05RmmmHZu3axpuZIyKzrc2t8XIR69KQpDOufHOYfVWc0Iok
ZloyyVmTDOxOoP/TIk5UNXPhHJ0G6MwRxIMKdj2x5g9kswlBAa/67KFqrt9FZ3Ng
MqQH1/fLgGsUJhUyANJHApb6+OoxsNg03MeP59BosXr79X9BbNaTOIh9TdCjklRH
yJzUjg9A6B/b0wiIEMrUvf5IsXCJo1jIiss0a3gCcGPZWdJQGNDKm553PE9EjjzP
zOtJOHCjKbhOwVIHkb3sUTPAc+mTMoiJa/YhbeKl/cW+0jXizmQ=
=197w
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Package : unzip
Version : 6.0-16+deb8u5
CVE ID : CVE-2019-13232
Debian Bug : 932404
The unzip security update issued as DLA 1846-1 caused a regression
when building the Firefox web browser from source.
There is a zip-like file in the Firefox distribution, omni.ja, which is
a zip container with the central directory placed at the start of the
file instead of after the local entries as required by the zip standard.
This update now permits such containers to not raise a zip bomb alert,
where in fact there are no overlaps.
For Debian 8 "Jessie", this problem has been fixed in version
6.0-16+deb8u5.
We recommend that you upgrade your unzip packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl0+JFZfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeSXLw/7BWA6pcU+uq+4Ujq7sL8C5upQNPt1hme3G6oFJ7engGhCND5+kQBdIFlJ
3OgEGAt3fMdXbRUnpQ8Q0MyKOvu1Nlq/wXvXDYRSGiaSJSWPo95emYG4LK3VExWO
Mquy8zqTQW/PvB09ApDFXnOeDhtZ25CDDqf8Uo38UKjtPrG2pOKy4sSuM/roslmm
RQyI4MOGPeT66QIH1EkDLMfOABTZxg/AYwZUGXsPcECPOp2axvzE36i05cxxtcpv
wMcDWj4i/lsPwdssxua+Z05SKmOzM8MUHhTqspfPyJ+p2Qwra2U2+YYtXhwJVPbB
Ten76Lwov4Bge2A0d4Bnnp5X9+a9gnBLU6AaZ7DpxWmDtvpwqhTxuRgY0/apQvp3
gnhuU43GjThhIXMoSvwNIx4NsqGRdV+uq/ka5KYH3ZQKhhL8RIrSNQQP/9C58j/I
ezfmp7jLONsBdTTQcrHeSXGtFTDVUsb5TKfDseZMGOERxjLTtFnZdLOc2qD2rrOy
nxB5P+6FQmztMnhc1eCM+ykSCvlmHH7lk22xguvFuC/Nu/ZRquoilPLHEYc2EGao
AaBgDDvl7VRB61hYJIdcXMFiTM8bIU0l7PO/nFeUNeCH3uCwvY1LvL0qSw6HQ6cZ
MRIMYOmDyUvVm1mxFHZ8dW/rVSgO3VbKDV57Mcr4ml9HxJ1Oq1E=
=lJR4
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXT5FF2aOgq3Tt24GAQje9g//YhBBDwIciJLfpTQcOeNALrxotVETzLY1
aR0yDB2O8QTBaEPyHx4rKW5EUpwe88ZBLvOehEwYpfK07GdPxnFF5F33TBzIyhDx
3UrhJPNZnkBUiT8d9JT7jL0JopywKHiU7uTeZVnsLb2uQZ9WpelyNIHlgqfQRQcu
aPA0Aidz6SliVz5+niBbWNIHtc3dGy5r7BkNYpZrO0stVwtrm/7tGrBEzYXtFq6z
5mMymzee074U2WSiIxdfQONJ3mCiX13kAEayNGANJ1XeO4X2BUtvoMy3gzC2hU4f
ZsOuk0Ukk5xMXSr6jcu0jrEAMNjZQyJnrvI/7zZdeFqr+3AiID1ack77UjD7/JRD
WKEYdVdepXfatTKOlI1Hs/GWTtgQ09CR5Y7UDBv9Dq9HRs+D7hMC4jPluh56TO+i
+tv6mu6HcJFTD6czpxmyGR3ijy6dmMlOlt4X4i+W47dkhG8fCsnSQCt/HYrtsLDq
unzbTOh4txRdcKuyZwHW+edqLgD20CdxTa3OKlIMngG+zT0MqBTmFZN8GeYSYHbG
vTv7ZFhxbvYv+9ZCqWU7YG3m4iL80FvZhvgha7z9rJEbSiXNzNA0uVajKCzLOIaS
z83CzyfmVr4s1IsLfY8UdZ1T/gHB8i8R1mSMQqurTr/pKvXsGRXF4NycO0/CLezo
ZZjgYAlXyL0=
=FAdj
-----END PGP SIGNATURE-----