[Issue 20027] std.zip susceptible to zip malware attacks

Jul 11, 2019

Walter Bright

Sep 25, 2019

Berni

Sep 27, 2019

Oct 07, 2019

Oct 10, 2019

Oct 10, 2019

Oct 10, 2019

https://issues.dlang.org/show_bug.cgi?id=20027 --- Comment #1 from Walter Bright <bugzilla@digitalmars.com> --- More info: https://www.vice.com/en_us/article/597vzx/the-most-clever-zip-bomb-ever-made-explodes-a-46mb-file-to-45-petabytes --

September 25, 2019

[Issue 20027] std.zip susceptible to zip malware attacks

Posted by Berni

Permalink

Berni

Permalink

https://issues.dlang.org/show_bug.cgi?id=20027

Berni <dlang@croco-puzzle.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dlang@croco-puzzle.com

--- Comment #2 from Berni <dlang@croco-puzzle.com> ---
Some of these rejections feel a little bit dubious. E.g. "Rejects ZIP64 version 2 (and ZIP64 version 1).". Do we want to support Zip64 or not? Same question for multiple volumes and encryption.

Also, zip has been designed to contain unused data: When removing a file from an archive, it can just be deleted from the central directory. From the view point of data protection this is horrible, but it's still a correct zip file, that should not be rejected by std.zip in my oppinion.

"Rejects compression methods other than 0 (uncompressed) or 8 (deflate)." - At
least 12 (bzip) might be an other candidate for decompression support in my
oppinion.

Others, like overlapping entries or invalid paths and so on, should of course be rejected.

What do you think?

--

https://issues.dlang.org/show_bug.cgi?id=20027 Berni <dlang@croco-puzzle.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|nobody@puremagic.com |dlang@croco-puzzle.com --

https://issues.dlang.org/show_bug.cgi?id=20027 berni44 <bugzilla@d-ecke.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |bugzilla@d-ecke.de Assignee|dlang@croco-puzzle.com |bugzilla@d-ecke.de --

https://issues.dlang.org/show_bug.cgi?id=20027 --- Comment #3 from berni44 <bugzilla@d-ecke.de> --- I moved several of these "rejects" to separate issues, grouping them thematically. I skipped issues, that are allready fixed, leaving here only the overlapping stuff, where I'll provide a fix in a minute. --

https://issues.dlang.org/show_bug.cgi?id=20027 Dlang Bot <dlang-bot@dlang.rocks> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |pull --- Comment #4 from Dlang Bot <dlang-bot@dlang.rocks> --- @berni44 created dlang/phobos pull request #7223 "Fix issue 20027 - std.zip susceptible to zip malware attacks" fixing this issue: - Fix issue 20027 - std.zip susceptible to zip malware attacks https://github.com/dlang/phobos/pull/7223 --

https://issues.dlang.org/show_bug.cgi?id=20027 Dlang Bot <dlang-bot@dlang.rocks> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #5 from Dlang Bot <dlang-bot@dlang.rocks> --- dlang/phobos pull request #7223 "Fix issue 20027 - std.zip susceptible to zip malware attacks" was merged into master: - 5f3e85025d3b9aaf5f4435b7b778b92ba26b2b79 by Bernhard Seckinger: Fix issue 20027 - std.zip susceptible to zip malware attacks https://github.com/dlang/phobos/pull/7223 --

Forums