Bug 1900915

Summary: unzip fails with "not enough memory for bomb detection" for bzip2-compressed archives
Product: Red Hat Enterprise Linux 8 Reporter: benjaminmoody
Component: unzipAssignee: Jakub Martisko <jamartis>
Status: CLOSED ERRATA QA Contact: Radka Brychtova <rskvaril>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.2CC: rskvaril
Target Milestone: rcKeywords: Triaged
Target Release: 8.0   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-18 15:05:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description benjaminmoody 2020-11-24 00:51:42 UTC 
Description of problem:

unzip frequently fails to unpack archives that were created using "zip -Z bzip2", saying "not enough memory for bomb detection" (even though there's clearly plenty of memory available.)

I don't fully understand the problem, but Mark Adler has posted two patches that appear to fix it:

  https://github.com/madler/unzip/commit/5e2efcd633a4a1fb95a129a75508e7d769e767be
  https://github.com/madler/unzip/commit/5c572555cf5d80309a07c30cf7a54b2501493720


Version-Release number of selected component (if applicable):

unzip-6.0-43.el8.x86_64


How reproducible:

Always happens with particular archives, but not all archives.  I gather from the above patches that this can sometimes affect deflated archives, but I've only seen it with bzip2ed archives.


Steps to Reproduce:
1. Download and unpack the original unzip-6.0 sources
2. "zip -Z bzip2 test.zip zip.h zipinfo.c"
3. "unzip -o test.zip"


Actual results:

unzip extracts zip.h and then fails:

    Archive:  test.zip
     bunzipping: zip.h
    error: not enough memory for bomb detection


Expected results:

unzip should extract both files:

    Archive:  test.zip
     bunzipping: zip.h
     bunzipping: zipinfo.c


Additional info:

See the corresponding Debian bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=963996
Comment 1 Jakub Martisko 2020-11-24 10:14:21 UTC 
Thanks for the report and the patches, they indeed seem to fix the issue (at least the bzip2 one).
Comment 8 errata-xmlrpc 2021-05-18 15:05:57 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (unzip bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1677