A better zip bomb

Share interesting information or links related to portable apps here.
Post Reply
Message
Author
billon
Posts: 843
Joined: Sat Jun 23, 2012 4:28 pm

A better zip bomb

#1 Post by billon »


User avatar
Midas
Posts: 6710
Joined: Mon Dec 07, 2009 7:09 am
Location: Sol3

Re: A better zip bomb

#2 Post by Midas »

Wow! Dumbstruck. :o

My highlight:
2019-07-05: I noticed that CVE-2019-13232 was assigned for UnZip. Personally, I would dispute that UnZip's (or any zip parser's) ability to process a zip bomb of the kind discussed here necessarily represents a security vulnerability, or even a bug. It's a natural implementation and does not violate the specification in any way that I can tell. The type discussed in this article is only one type of zip bomb, and there are many ways in which zip parsing can go wrong that are not bombs. As mentioned above, if you want to defend against resource exhaustion attacks, you should not try to enumerate, detect, and block every individual known attack; rather you should impose external limits on time and other resources so that the parser cannot misbehave too much, no matter what kind of attack it faces.

User avatar
SYSTEM
Posts: 2041
Joined: Sat Jul 31, 2010 1:19 am
Location: Helsinki, Finland

Re: A better zip bomb

#3 Post by SYSTEM »

Thanks. Amazing read. :)
My YouTube channel | Release date of my 13th playlist: August 24, 2020

User avatar
webfork
Posts: 10818
Joined: Wed Apr 11, 2007 8:06 pm
Location: US, Texas
Contact:

Re: A better zip bomb

#4 Post by webfork »

SYSTEM wrote: Thu Jul 11, 2019 3:40 am Thanks. Amazing read. :)
Agreed

Post Reply