CVE-2019-13232

Опубликовано: 04 июл. 2019

Источник: debian

EPSS Низкий

Описание

Info-ZIP UnZip 6.0 mishandles the overlapping of files inside a ZIP container, leading to denial of service (resource consumption), aka a "better zip bomb" issue.

Пакеты

Пакет	Статус	Версия исправления	Релиз	Тип
unzip	fixed	6.0-24		package
unzip	fixed	6.0-23+deb10u1	buster	package
unzip	fixed	6.0-21+deb9u2	stretch	package

Примечания

https://www.bamsoftware.com/hacks/zipbomb/
Fixed by: https://github.com/madler/unzip/commit/47b3ceae397d21bf822bc2ac73052a4b1daf8e1c
Fix depends on: https://github.com/madler/unzip/commit/41beb477c5744bc396fa1162ee0c14218ec12213
Further commit needed: https://github.com/madler/unzip/commit/6d351831be705cc26d897db44f878a978f4138fc
No security impact, crash in CLI tool, any server implementing automatic extraction needs
to apply resource limits anyway
https://www.openwall.com/lists/oss-security/2019/08/06/3

EPSS

Процентиль: 14%

0.00046

Низкий

Связанные уязвимости

CVE-2019-13232

CVSS3: 3.3

ubuntu

около 6 лет назад

Info-ZIP UnZip 6.0 mishandles the overlapping of files inside a ZIP container, leading to denial of service (resource consumption), aka a "better zip bomb" issue.

CVE-2019-13232

CVSS3: 4

redhat

около 6 лет назад

Info-ZIP UnZip 6.0 mishandles the overlapping of files inside a ZIP container, leading to denial of service (resource consumption), aka a "better zip bomb" issue.

CVE-2019-13232

CVSS3: 3.3

nvd

около 6 лет назад

Info-ZIP UnZip 6.0 mishandles the overlapping of files inside a ZIP container, leading to denial of service (resource consumption), aka a "better zip bomb" issue.

CVE-2019-13232

CVSS3: 3.3

msrc

около 5 лет назад

Описание отсутствует

GHSA-8vm7-647w-p9g4

CVSS3: 3.3

github

больше 3 лет назад

Info-ZIP UnZip 6.0 mishandles the overlapping of files inside a ZIP container, leading to denial of service (resource consumption), aka a "better zip bomb" issue.

EPSS

Процентиль: 14%

0.00046

Низкий