Bug 2227130

Summary: The CVE-2019-13232 zipbomb patches are incomplete and flag valid zip files
Product: [Fedora] Fedora Reporter: Colin Cross <fedora-bugzilla>
Component: unzipAssignee: Jakub Martisko <jamartis>
Status: CLOSED EOL QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 37CC: jamartis, kdudka, pstodulk
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-01-15 12:19:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Patch to fix zipbomb zip64 data descriptor detection. none

Description Colin Cross 2023-07-28 05:18:26 UTC 
A zip file that meets the following criteria incorrectly triggers the zipbomb detection used to mitigate CVE-2019-13232:
1.  Is larger than 4GB
2.  Uses data descriptors (these are commonly created by the zip implementations in Java and Golang)
3.  Has a file located more than 4GB into the zip file that is shorter than 4GB
4.  Has another file after the previous file.

Fedora's patches for unzip have https://github.com/madler/unzip/commit/122050bac16fae82a460ff739fb1ca0f106e9d85, which contains a bug.  It assumes that a file that uses zip64 extensions in the central directory also uses zip64 extensions in the data descriptor if present.  The zip64 extensions are necessary in the central directory for files whose offset in the zip file is more than 4 GB, even if the file's compressed and uncompressed files fit in the non-zip64 fields.  There is no offset field in the data descriptor, so the zip64 data descriptor is only needed for files whose compressed or uncompressed sizes are more than 4 GB.

Reproducible: Always

Steps to Reproduce:
Create a jar file that meets the above criteria.  Jar is used instead of zip to create the file because Java's zip implementation is streaming so it has to use data descriptors to store the compressed and uncompressed sizes:

# Create an empty 4 GB file
truncate -s 4G 4g.bin
# Add it uncompressed to a jar file to make the size of the jar more than 4 GB:
jar -0 -c -f test.jar 4g.bin
# Add two smaller files
jar -u -f test.jar /etc/redhat-release /etc/fedora-release
# Read the jar file with unzip:
unzip -t test.jar etc/*

Actual Results:  
error: invalid zip file with overlapped components (possible zip bomb)
 To unzip the file anyway, rerun the command with UNZIP_DISABLE_ZIPBOMB_DETECTION=TRUE environmnent variable


Expected Results:  
No error should be printed, there is no overlap in the file.

This is fixed in the zipbomb fork of unzip by https://github.com/madler/unzip/commit/3bee0689f7dc6afb88bda09ffb71b6b15623ff92, which significantly modifies the way data descriptors are parsed.  I'll also attach an alternative smaller, more targeted patch that fixes the issue by correctly detecting when a zip64 data descriptor is in use.

This bug affects some real world use cases.  Android's platform build system uses Go to create zip files, and when they are larger than 4 GB they can trigger this bug.  This can prevent building Android on Fedora.  https://bbs.archlinux.org/viewtopic.php?id=277610 is a similar report on Arch linux, which is using Fedora's patches.
Comment 1 Colin Cross 2023-07-28 05:21:05 UTC 
Created attachment 1980377 [details]
Patch to fix zipbomb zip64 data descriptor detection.
Comment 2 Aoife Moloney 2023-11-23 01:48:18 UTC 
This message is a reminder that Fedora Linux 37 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 37 on 2023-12-05.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '37'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, change the 'version' 
to a later Fedora Linux version. Note that the version field may be hidden.
Click the "Show advanced fields" button if you do not see it.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora Linux 37 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora Linux, you are encouraged to change the 'version' to a later version
prior to this bug being closed.
Comment 3 Aoife Moloney 2024-01-15 12:19:50 UTC 
Fedora Linux 37 entered end-of-life (EOL) status on 2023-12-05.

Fedora Linux 37 is no longer maintained, which means that it
will not receive any further security or bug fix updates. As a result we
are closing this bug.

If you can reproduce this bug against a currently maintained version of Fedora Linux
please feel free to reopen this bug against that version. Note that the version
field may be hidden. Click the "Show advanced fields" button if you do not see
the version field.

If you are unable to reopen this bug, please file a new report against an
active release.

Thank you for reporting this bug and we are sorry it could not be fixed.