[Bug 1513293] Re: unzip security update leads to extracting errors

Marc Deslauriers marc.deslauriers at canonical.com
Mon Nov 9 14:48:10 UTC 2015 

Thanks, I can reproduce the issue with the zipfile in attachment #13.
The issue is caused by the 16-fix-integer-underflow-csiz-decrypted patch
breaking support for 0-byte files because "if (csiz_decrypted <= 12)"
should be "if (csiz_decrypted < 12)".

I'll prepare a regression fix. Thanks!


** Also affects: unzip (Ubuntu Xenial)
   Importance: High
       Status: New

** Also affects: unzip (Ubuntu Precise)
   Importance: Undecided
       Status: New

** Also affects: unzip (Ubuntu Vivid)
   Importance: Undecided
       Status: New

** Also affects: unzip (Ubuntu Trusty)
   Importance: Undecided
       Status: New

** Also affects: unzip (Ubuntu Wily)
   Importance: Undecided
       Status: New

** Changed in: unzip (Ubuntu Precise)
       Status: New => Confirmed

** Changed in: unzip (Ubuntu Trusty)
       Status: New => Confirmed

** Changed in: unzip (Ubuntu Vivid)
       Status: New => Confirmed

** Changed in: unzip (Ubuntu Wily)
       Status: New => Confirmed

** Changed in: unzip (Ubuntu Xenial)
       Status: New => Confirmed

** Changed in: unzip (Ubuntu Precise)
     Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: unzip (Ubuntu Trusty)
     Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: unzip (Ubuntu Vivid)
     Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: unzip (Ubuntu Wily)
     Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: unzip (Ubuntu Xenial)
     Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to unzip in Ubuntu.
https://bugs.launchpad.net/bugs/1513293

Title:
  unzip security update leads to extracting errors

Status in unzip package in Ubuntu:
  Confirmed
Status in unzip source package in Precise:
  Confirmed
Status in unzip source package in Trusty:
  Confirmed
Status in unzip source package in Vivid:
  Confirmed
Status in unzip source package in Wily:
  Confirmed
Status in unzip source package in Xenial:
  Confirmed

Bug description:
  This problem appears to have spontaneously arisen for me in 14.4.

  I am using the following version of file-roller to manage archives of
  an SVN code base:

  $ apt-cache policy file-roller
  file-roller:
    Installed: 3.10.2.1-0ubuntu4.1
    Candidate: 3.10.2.1-0ubuntu4.1
    Version table:
   *** 3.10.2.1-0ubuntu4.1 0
          500 http://au.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
          100 /var/lib/dpkg/status
       3.10.2.1-0ubuntu4 0
          500 http://au.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

  This application has suddenly decided to display the "An error
  occurred when extracting files" dialogue when accessing any of my
  archives - some dating back to July. I have tried copies of my
  archives from multiple media, and they all appear to have the same
  problem.

  More specifically, there is at least one file (/svn/db/write-lock) in
  this code base that has the problem when I extract files manually. It
  is zero bytes in length and displays a lock icon along with every
  other file - I conclude this is because, like all the other files, it
  would be encrypted if it contained any data.

  Hence, my problem appears to be a problem with the Archive Manager
  itself, and may have arisen from changes consequent to my last
  software update.

  I try to unzip an archive from the command line and get the following:

  $ unzip 2015-10-18.zip -d ~
  Archive:  2015-10-18.zip
     creating: /home/owen/svn/
  [2015-10-18.zip] svn/format password: 
   extracting: /home/owen/svn/format   
    inflating: /home/owen/svn/README.txt  
     creating: /home/owen/svn/db/
   extracting: /home/owen/svn/db/current  
   extracting: /home/owen/svn/db/format  

    error:  invalid compressed data to inflate

  I can extract the archive without incident on an old windows machine
  and have put comments about my problem to the Ubuntu forums, but have
  yet to receive an answer that would reasonably accord with the problem
  I am experiencing.

  I am perhaps just a little anxious, but relieved somewhat that I can
  still access my archives from another computer. Help would be much
  appreciated.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1513293/+subscriptions

More information about the foundations-bugs mailing list