Thread overview
[Issue 20027] std.zip susceptible to zip malware attacks
Sep 25
Berni
Sep 27
Berni
Oct 07
berni44
Oct 10
berni44
Oct 10
Dlang Bot
Oct 10
Dlang Bot
July 11
https://issues.dlang.org/show_bug.cgi?id=20027

--- Comment #1 from Walter Bright <bugzilla@digitalmars.com> ---
More info:

https://www.vice.com/en_us/article/597vzx/the-most-clever-zip-bomb-ever-made-explodes-a-46mb-file-to-45-petabytes

--
September 25
https://issues.dlang.org/show_bug.cgi?id=20027

Berni <dlang@croco-puzzle.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dlang@croco-puzzle.com

--- Comment #2 from Berni <dlang@croco-puzzle.com> ---
Some of these rejections feel a little bit dubious. E.g. "Rejects ZIP64 version 2 (and ZIP64 version 1).". Do we want to support Zip64 or not? Same question for multiple volumes and encryption.

Also, zip has been designed to contain unused data: When removing a file from an archive, it can just be deleted from the central directory. From the view point of data protection this is horrible, but it's still a correct zip file, that should not be rejected by std.zip in my oppinion.

"Rejects compression methods other than 0 (uncompressed) or 8 (deflate)." - At
least 12 (bzip) might be an other candidate for decompression support in my
oppinion.

Others, like overlapping entries or invalid paths and so on, should of course be rejected.

What do you think?

--
September 27
https://issues.dlang.org/show_bug.cgi?id=20027

Berni <dlang@croco-puzzle.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Assignee|nobody@puremagic.com        |dlang@croco-puzzle.com

--
October 07
https://issues.dlang.org/show_bug.cgi?id=20027

berni44 <bugzilla@d-ecke.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |bugzilla@d-ecke.de
           Assignee|dlang@croco-puzzle.com      |bugzilla@d-ecke.de

--
October 10
https://issues.dlang.org/show_bug.cgi?id=20027

--- Comment #3 from berni44 <bugzilla@d-ecke.de> ---
I moved several of these "rejects" to separate issues, grouping them thematically. I skipped issues, that are allready fixed, leaving here only the overlapping stuff, where I'll provide a fix in a minute.

--
October 10
https://issues.dlang.org/show_bug.cgi?id=20027

Dlang Bot <dlang-bot@dlang.rocks> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |pull

--- Comment #4 from Dlang Bot <dlang-bot@dlang.rocks> ---
@berni44 created dlang/phobos pull request #7223 "Fix issue 20027 - std.zip susceptible to zip malware attacks" fixing this issue:

- Fix issue 20027 - std.zip susceptible to zip malware attacks

https://github.com/dlang/phobos/pull/7223

--
October 10
https://issues.dlang.org/show_bug.cgi?id=20027

Dlang Bot <dlang-bot@dlang.rocks> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #5 from Dlang Bot <dlang-bot@dlang.rocks> ---
dlang/phobos pull request #7223 "Fix issue 20027 - std.zip susceptible to zip malware attacks" was merged into master:

- 5f3e85025d3b9aaf5f4435b7b778b92ba26b2b79 by Bernhard Seckinger:
  Fix issue 20027 - std.zip susceptible to zip malware attacks

https://github.com/dlang/phobos/pull/7223

--