RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1900915 - unzip fails with "not enough memory for bomb detection" for bzip2-compressed archives
Summary: unzip fails with "not enough memory for bomb detection" for bzip2-compressed ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: unzip
Version: 8.2
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: rc
: 8.0
Assignee: Jakub Martisko
QA Contact: Radka Brychtova
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-11-24 00:51 UTC by benjaminmoody
Modified: 2021-05-18 15:05 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-05-18 15:05:57 UTC
Type: Bug
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description benjaminmoody 2020-11-24 00:51:42 UTC
Description of problem:

unzip frequently fails to unpack archives that were created using "zip -Z bzip2", saying "not enough memory for bomb detection" (even though there's clearly plenty of memory available.)

I don't fully understand the problem, but Mark Adler has posted two patches that appear to fix it:

  https://github.com/madler/unzip/commit/5e2efcd633a4a1fb95a129a75508e7d769e767be
  https://github.com/madler/unzip/commit/5c572555cf5d80309a07c30cf7a54b2501493720


Version-Release number of selected component (if applicable):

unzip-6.0-43.el8.x86_64


How reproducible:

Always happens with particular archives, but not all archives.  I gather from the above patches that this can sometimes affect deflated archives, but I've only seen it with bzip2ed archives.


Steps to Reproduce:
1. Download and unpack the original unzip-6.0 sources
2. "zip -Z bzip2 test.zip zip.h zipinfo.c"
3. "unzip -o test.zip"


Actual results:

unzip extracts zip.h and then fails:

    Archive:  test.zip
     bunzipping: zip.h
    error: not enough memory for bomb detection


Expected results:

unzip should extract both files:

    Archive:  test.zip
     bunzipping: zip.h
     bunzipping: zipinfo.c


Additional info:

See the corresponding Debian bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=963996

Comment 1 Jakub Martisko 2020-11-24 10:14:21 UTC
Thanks for the report and the patches, they indeed seem to fix the issue (at least the bzip2 one).

Comment 8 errata-xmlrpc 2021-05-18 15:05:57 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (unzip bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1677


Note You need to log in before you can comment on or make changes to this bug.