Ubuntu
diffoscope package

diffoscope/137+205 ADT test failure in Focal/Jammy

Bug #2073410 reported by Stefan Bader
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
diffoscope (Ubuntu)
New
Undecided
Unassigned
Focal
New
Undecided
Unassigned
Jammy
New
Undecided
Unassigned
linux (Ubuntu)
New
Undecided
Unassigned
Focal
Invalid
Undecided
Unassigned
Jammy
Invalid
Undecided
Unassigned

CVE References

Stefan Bader (smb)
tags: added: kernel-adt-failure
Changed in linux (Ubuntu Focal):
status: New → Invalid
Changed in linux (Ubuntu Jammy):
status: New → Invalid
Revision history for this message
Stefan Bader (smb) wrote :

I was investigating this for 20.04/Focal but assuming this is the same for 22.04/Jammy. The logs show 4 subtests around zip files failing. The in the details for the failures one sees this:

raise BadZipFile(f"Overlapped entries: {zinfo.orig_filename!r} (possible zip bomb)")

This correlates with a recent (Jul-09) update for python3.8 and 3.10:

  * SECURITY UPDATE: zipbomb DoS attack
    - debian/patches/CVE-2024-0450.patch: raise BadZipFile when trying
      to read an entry that overlaps with other entry or central
      directory.
    - CVE-2024-0450

The test files in diffoscope seem to trigger this and bail.

summary: - diffoscope/205 ADT test failure with linux/5.15.0-118.128
+ diffoscope/137+205 ADT test failure in Focal/Jammy
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.