Unzip 6.0-21.el7 reports invalid ZIP bomb

Issues related to applications and software problems
Post Reply
LemADEC
Posts: 1
Joined: 2020/08/30 10:46:39

Unzip 6.0-21.el7 reports invalid ZIP bomb

Post by LemADEC » 2020/08/30 11:03:21

As part of routine patching of my CentOS 7 server, unzip was updated to version 6.0-21.el7, since then I can no longer extract large backup zip archives. The extraction aborts with a message saying "error: invalid zip file with overlapped components (possible zip bomb)".
Multiple archives are having this issue.
The same archives are extracted just fine when using 7-zip on my my Windows 10 desktop.

From a quick search, it appears Unzip was updated to address a new ZIP bomb, see https://access.redhat.com/security/cve/CVE-2019-13232 . I understand the issue is probably due to invalid options use during compilation for x86_64, possibly missing the "large file support" one?

Where can I find an older version of that package? Is there a way to recompile it with proper options?
Any alternatives for unzip on console?

Post Reply

Return to “CentOS 7 - Software Support”