Errors when extracting ZIP files. It can not differentiate between files and directories

Here are the references to the related issues reported previously in libarchive GitHub:

https://github.com/libarchive/libarchive/issues/822

https://github.com/libarchive/libarchive/issues/853

And the pull request that solves the issue:

https://github.com/libarchive/libarchive/pull/850

Thanks for reporting this issue - this would appear to have potential security implications, however as it is already public I see no reason to keep this private - if a CVE were to be assigned then this could be fixed via a security update by the security team, otherwise this would be fixed via the normal SRU process[1]. As such, please feel free to file a CVE request with MITRE[2] and if one is assigned, please update this bug report with the CVE ID and we can fix it via the security team.

[1] https://wiki.ubuntu.com/StableReleaseUpdates
[2] https://cve.mitre.org/cve/request_id.html

The commit seems reasonable for a SRU. Could you maybe add an example/testcase to the bug that could be used for the SRU process? (we need to be able to verify the problem and the solution)

HI Sebastien,

Sure. Here is a zip file that it's very easy to use to reproduce the defect. The defect s not in the bsdtar, it's in libarchive. However, since bsdtar depends on libarchive, this can be used to demonstrate the problem as someone reports in the GitHub issue report:

https://github.com/libarchive/libarchive/issues/822

If you try to extract the content with bsdtar:

# bsdtar -vxf example.zip

You will see and error, and if you look to the result in the filesystem, that 'ABCD_1234' and 'empty' are created as files instead of directories. If you try the same operation using unzip in other directory (or after cleaning the previous operation):

# unzip example.zip

You will see the right result (ABCD_1234 and empty directories).

Thanks for take care of this,
Alejandro

One important note here,

The defect is only present in version 3.2.2 (Bionic official version now). Previous and next version do work properly.

Thank you for your bug report, marking the bug as fixed since the issue is resolved in the current version.

We are doing a SRU backport to Bionic as well (the corresponding line will be added to the report)

An upload of libarchive to bionic-proposed has been rejected from the upload queue for the following reason: "reuploading with sru-appropriate version numbering".

Hello Alejandro, or anyone else affected,

Accepted libarchive into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/libarchive/3.2.2-3.1ubuntu0.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Thank you Brian,

We are going to be testing it during this week. I will let you know the results.

Good morning Murray,

we performed some test and everything looks fine.

Thank you very much.

All autopkgtests for the newly accepted libarchive (3.2.2-3.1ubuntu0.4) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:

gvfs/1.36.1-0ubuntu1.3.3 (ppc64el)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#libarchive

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

This bug was fixed in the package libarchive - 3.2.2-3.1ubuntu0.4

---------------
libarchive (3.2.2-3.1ubuntu0.4) bionic; urgency=medium

  * debian/patches/git_zip_directories.patch:
    - backport a fix for an issue where files are created instead of
      directories (lp: #1830629)

 -- Sebastien Bacher <email address hidden> Fri, 28 Jun 2019 21:20:28 +0200

The verification of the Stable Release Update for libarchive has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.