Bug 2228754

Summary: unzip detects zipbomb when file is generated by Java zip library
Product: Red Hat Enterprise Linux 9 Reporter: Igor Raits <igor.raits>
Component: unzipAssignee: Jakub Martisko <jamartis>
Status: NEW --- QA Contact: qe-baseos-daemons
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: CentOS StreamCC: bstinson, jwboyer
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Igor Raits 2023-08-03 07:23:19 UTC 
It would be great to backport https://github.com/madler/unzip/commit/af0d07f95809653b669d88aa0f424c6d5aa48ba0

> Previously the zip64 flag determined the size of the lengths in the
> data descriptor. This is compliant with the zip format. However, a
> bug in the Java zip library results in an incorrect setting of that
> flag. This commit permits either 32-bit or 64-bit lengths, auto-
> detecting which it is, which works around the Java bug.

In our environment, we have hundreds of such ZIP files…