Bug 2031730

Summary: Add the switch to opt-out of the zipbomb detection
Product: Red Hat Enterprise Linux 9 Reporter: Jakub Martisko <jamartis>
Component: unzipAssignee: Jakub Martisko <jamartis>
Status: CLOSED ERRATA QA Contact: Karel Volný <kvolny>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: fsumsal, kvolny, rmetrich
Target Milestone: rcKeywords: Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: unzip-6.0-54.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-17 16:02:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Comment 3 Karel Volný 2022-01-27 12:04:19 UTC 
unzip-6.0-53.el9.x86_64 fails

unzip-6.0-56.el9.x86_64 passes

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Test
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 07:01:26 ] :: [   PASS   ] :: Testing heap-oob.zip with unzip -t (zip bomb) (Expected 12, got 12)
:: [ 07:01:26 ] :: [   PASS   ] :: File '/var/tmp/rlRun_LOG.pPJv5Xz6' should contain 'error: invalid zip file with overlapped components (possible zip bomb)' 
:: [ 07:01:26 ] :: [   PASS   ] :: Testing zbsm.zip (Expected 12, got 12)
:: [ 07:01:26 ] :: [   PASS   ] :: File '/var/tmp/rlRun_LOG.ESiSDEd8' should contain 'error: invalid zip file with overlapped components (possible zip bomb)' 
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Duration: 0s
::   Assertions: 4 good, 0 bad
::   RESULT: PASS (Test)


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Test
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 07:01:26 ] :: [   PASS   ] :: Disabling zipbomb detection (Expected 0, got 0)
:: [ 07:01:26 ] :: [   PASS   ] :: Testing heap-oob.zip (Expected 51, got 51)
:: [ 07:01:26 ] :: [   PASS   ] :: File '/var/tmp/rlRun_LOG.lPFppl0x' should contain 'error.*missing 808464360 bytes in zipfile' 
:: [ 07:01:26 ] :: [   PASS   ] :: File '/var/tmp/rlRun_LOG.lPFppl0x' should contain 'error.*attempt to seek before beginning of zipfile' 
:: [ 07:01:51 ] :: [   PASS   ] :: Testing zbsm.zip (Expected 0, got 0)
:: [ 07:01:51 ] :: [   PASS   ] :: File '/var/tmp/rlRun_LOG.f9I9PsQX' should contain 'testing: 5X                       OK' 
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Duration: 25s
::   Assertions: 6 good, 0 bad
::   RESULT: PASS (Test)



also, the new manpage adds the text "The zip-bomb checks can be disabled by using the UNZIP_DISABLE_ZIPBOMB_DETECTION=TRUE environment variable."
Comment 8 errata-xmlrpc 2022-05-17 16:02:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: unzip), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:4037