CVE-2019-13232

Name	CVE-2019-13232
Description	Info-ZIP UnZip 6.0 mishandles the overlapping of files inside a ZIP container, leading to denial of service (resource consumption), aka a "better zip bomb" issue.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-1846-1, ELA-141-1, ELA-141-2
Debian Bugs	931433

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
unzip (PTS)	jessie, jessie (lts)	6.0-16+deb8u7	fixed
	stretch (lts), stretch	6.0-21+deb9u3	fixed
	buster (security), buster, buster (lts)	6.0-23+deb10u3	fixed
	bullseye (security), bullseye	6.0-26+deb11u1	fixed
	sid, trixie, bookworm	6.0-28	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
unzip	source	wheezy	6.0-8+deb7u8		ELA-141-2
unzip	source	jessie	6.0-16+deb8u4		DLA-1846-1
unzip	source	stretch	6.0-21+deb9u2
unzip	source	buster	6.0-23+deb10u1
unzip	source	(unstable)	6.0-24	unimportant		931433

Notes

https://www.bamsoftware.com/hacks/zipbomb/
Fixed by: https://github.com/madler/unzip/commit/47b3ceae397d21bf822bc2ac73052a4b1daf8e1c
Fix depends on: https://github.com/madler/unzip/commit/41beb477c5744bc396fa1162ee0c14218ec12213
Further commit needed: https://github.com/madler/unzip/commit/6d351831be705cc26d897db44f878a978f4138fc
No security impact, crash in CLI tool, any server implementing automatic extraction needs
to apply resource limits anyway
https://www.openwall.com/lists/oss-security/2019/08/06/3