CVE-2019-13232

Name

CVE-2019-13232

Description

Info-ZIP UnZip 6.0 mishandles the overlapping of files inside a ZIP container, leading to denial of service (resource consumption), aka a "better zip bomb" issue.

NVD Severity

low

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

References

Type	URI
Product	https://github.com/madler/unzip
Third Party Advisory	https://www.bamsoftware.com/hacks/zipbomb/
Mailing List	https://lists.debian.org/debian-lts-announce/2019/07/msg00005.html
Third Party Advisory	https://lists.debian.org/debian-lts-announce/2019/07/msg00027.html
Third Party Advisory	https://security.netapp.com/advisory/ntap-20190814-0002/
Third Party Advisory	https://support.f5.com/csp/article/K80311892?utm_source=f5support&utm_medium=RSS
Third Party Advisory	https://security.gentoo.org/glsa/202003-58

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:unzip_project:unzip:6.0:::::::*`	unzip	== None	== 6.0

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
unzip	3.10-main	6.0-r6	Timo Teräs <timo.teras@iki.fi>	fixed
unzip	3.14-main	6.0-r9	Timo Teräs <timo.teras@iki.fi>	fixed
unzip	3.13-main	6.0-r9	Timo Teräs <timo.teras@iki.fi>	fixed
unzip	3.12-main	6.0-r9	Timo Teräs <timo.teras@iki.fi>	fixed
unzip	3.11-main	6.0-r7	Timo Teräs <timo.teras@iki.fi>	fixed
unzip	3.15-main	6.0-r9	Timo Teräs <timo.teras@iki.fi>	fixed
unzip	3.16-main	6.0-r9	Timo Teräs <timo.teras@iki.fi>	fixed
unzip	3.17-main	6.0-r13	Timo Teräs <timo.teras@iki.fi>	fixed
unzip	edge-main	6.0-r14	Timo Teräs <timo.teras@iki.fi>	fixed
unzip	3.18-main	6.0-r14	Timo Teräs <timo.teras@iki.fi>	fixed