Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.2478.2 [SECURITY] [DLA 1846-1] unzip security update 29 July 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: unzip Publisher: Debian Operating System: Debian GNU/Linux 8 Linux variants Impact/Access: Denial of Service -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2019-13232 Original Bulletin: https://lists.debian.org/debian-lts-announce/2019/07/msg00005.html Revision History: July 29 2019: Update released to fix regression July 8 2019: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : unzip Version : 6.0-16+deb8u4 CVE ID : CVE-2019-13232 Debian Bug : 931433 David Fifield discovered a way to construct non-recursive "zip bombs" that achieve a high compression ratio by overlapping files inside the zip container. However the output size increases quadratically in the input size, reaching a compression ratio of over 28 million (10 MB -> 281 TB) at the limits of the zip format which can cause a denial-of-service. Mark Adler provided a patch to detect and reject such zip files for the unzip program. For Debian 8 "Jessie", this problem has been fixed in version 6.0-16+deb8u4. We recommend that you upgrade your unzip packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl0iUXFfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeSNmg//aYlnFC/oldyGW2Y3fDNrE+BDvUVsa692Y2H6g1AIqzHCtMBlRd4ZHU7A 80ebCNDQOuZSrG5MhadlxfpKhMbLzlwYjxEGbl/q7b6wKmj6Zs0JoRkR+gkTuyiv ivHSe9wBmsWK0dXjw++8agoK2XPBDSVfCMEsFhpOM07dsE0gEU0p5Z3Dziefqfi8 HE3xotd3pp8SzM+0nBiOpVyC6ZdvIlrw5LuF+aTADBclAmuDna6JJnyz1D72auHT il9kjbqoSCD0mL/iDYXvRuGanRNAN7UIc+rrCWNn/DsYpX7A+o+cncvLK2lKxmZP 1EuQIwh1U6lfiBd4ipvFkGdt4pzHnBsdQc4Z3oFEbEqLqhNZpzzFcIuc4KIxRHkt KQGjEzQ4desb/MdtD05RmmmHZu3axpuZIyKzrc2t8XIR69KQpDOufHOYfVWc0Iok ZloyyVmTDOxOoP/TIk5UNXPhHJ0G6MwRxIMKdj2x5g9kswlBAa/67KFqrt9FZ3Ng MqQH1/fLgGsUJhUyANJHApb6+OoxsNg03MeP59BosXr79X9BbNaTOIh9TdCjklRH yJzUjg9A6B/b0wiIEMrUvf5IsXCJo1jIiss0a3gCcGPZWdJQGNDKm553PE9EjjzP zOtJOHCjKbhOwVIHkb3sUTPAc+mTMoiJa/YhbeKl/cW+0jXizmQ= =197w - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : unzip Version : 6.0-16+deb8u5 CVE ID : CVE-2019-13232 Debian Bug : 932404 The unzip security update issued as DLA 1846-1 caused a regression when building the Firefox web browser from source. There is a zip-like file in the Firefox distribution, omni.ja, which is a zip container with the central directory placed at the start of the file instead of after the local entries as required by the zip standard. This update now permits such containers to not raise a zip bomb alert, where in fact there are no overlaps. For Debian 8 "Jessie", this problem has been fixed in version 6.0-16+deb8u5. We recommend that you upgrade your unzip packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl0+JFZfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeSXLw/7BWA6pcU+uq+4Ujq7sL8C5upQNPt1hme3G6oFJ7engGhCND5+kQBdIFlJ 3OgEGAt3fMdXbRUnpQ8Q0MyKOvu1Nlq/wXvXDYRSGiaSJSWPo95emYG4LK3VExWO Mquy8zqTQW/PvB09ApDFXnOeDhtZ25CDDqf8Uo38UKjtPrG2pOKy4sSuM/roslmm RQyI4MOGPeT66QIH1EkDLMfOABTZxg/AYwZUGXsPcECPOp2axvzE36i05cxxtcpv wMcDWj4i/lsPwdssxua+Z05SKmOzM8MUHhTqspfPyJ+p2Qwra2U2+YYtXhwJVPbB Ten76Lwov4Bge2A0d4Bnnp5X9+a9gnBLU6AaZ7DpxWmDtvpwqhTxuRgY0/apQvp3 gnhuU43GjThhIXMoSvwNIx4NsqGRdV+uq/ka5KYH3ZQKhhL8RIrSNQQP/9C58j/I ezfmp7jLONsBdTTQcrHeSXGtFTDVUsb5TKfDseZMGOERxjLTtFnZdLOc2qD2rrOy nxB5P+6FQmztMnhc1eCM+ykSCvlmHH7lk22xguvFuC/Nu/ZRquoilPLHEYc2EGao AaBgDDvl7VRB61hYJIdcXMFiTM8bIU0l7PO/nFeUNeCH3uCwvY1LvL0qSw6HQ6cZ MRIMYOmDyUvVm1mxFHZ8dW/rVSgO3VbKDV57Mcr4ml9HxJ1Oq1E= =lJR4 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXT5FF2aOgq3Tt24GAQje9g//YhBBDwIciJLfpTQcOeNALrxotVETzLY1 aR0yDB2O8QTBaEPyHx4rKW5EUpwe88ZBLvOehEwYpfK07GdPxnFF5F33TBzIyhDx 3UrhJPNZnkBUiT8d9JT7jL0JopywKHiU7uTeZVnsLb2uQZ9WpelyNIHlgqfQRQcu aPA0Aidz6SliVz5+niBbWNIHtc3dGy5r7BkNYpZrO0stVwtrm/7tGrBEzYXtFq6z 5mMymzee074U2WSiIxdfQONJ3mCiX13kAEayNGANJ1XeO4X2BUtvoMy3gzC2hU4f ZsOuk0Ukk5xMXSr6jcu0jrEAMNjZQyJnrvI/7zZdeFqr+3AiID1ack77UjD7/JRD WKEYdVdepXfatTKOlI1Hs/GWTtgQ09CR5Y7UDBv9Dq9HRs+D7hMC4jPluh56TO+i +tv6mu6HcJFTD6czpxmyGR3ijy6dmMlOlt4X4i+W47dkhG8fCsnSQCt/HYrtsLDq unzbTOh4txRdcKuyZwHW+edqLgD20CdxTa3OKlIMngG+zT0MqBTmFZN8GeYSYHbG vTv7ZFhxbvYv+9ZCqWU7YG3m4iL80FvZhvgha7z9rJEbSiXNzNA0uVajKCzLOIaS z83CzyfmVr4s1IsLfY8UdZ1T/gHB8i8R1mSMQqurTr/pKvXsGRXF4NycO0/CLezo ZZjgYAlXyL0= =FAdj -----END PGP SIGNATURE-----