Denial of service through decompression bombs

Bug #183660 reported by Oleg Vaskevich on 2008-01-17
4
Affects Status Importance Assigned to Milestone
File Roller
Confirmed
Medium
file-roller (Ubuntu)
Low
Ubuntu Desktop Bugs

Bug Description

Decompression bombs, which result from a small file being uncompressed into a bigger one, can freeze the current application such as a browser, virus scanner, search tool and create system instability. More information about this can be found here:

http://www.aerasec.de/security/advisories/decompression-bomb-vulnerability.html

Sorry if this is already known of/unpreventable, but it can really harm and freeze a computer, depending on the size of the compressed file. Examples are available off the previous link.

Expected Behavior: An alert shown to the user, earlier termination of the application opening such file, or end in processing of that file.
Actual behavior: Application freezes (ui) and eventually the whole system starts lagging. Perhaps applications should have a "maximum cpu usage allowed" or something like that?

Oleg Vaskevich (olegv) wrote :

The images can freeze the browser while the text files can freeze the text editor. Password to open those archives is AERAsec (specified in the read me file.) Again, this may be worthless and uncommon, but something that can unintentially freeze a browser and possibly the system can be dangerous.

Michael Nagel (nailor) wrote :

thanks for reporting, but right here in the launchpad bug tracker we track precise bugs, that is where expected behavior does not match expected behavior and it's clear what should be done. this issue can not (yet, because it should be discussed WHAT EXACTLY should be done) be adressed thus...

Oleg Vaskevich (olegv) wrote :

Ok, updated description.

description: updated
Changed in file-roller:
assignee: nobody → desktop-bugs
importance: Undecided → Low
Michael Nagel (nailor) on 2008-11-02
Changed in file-roller:
status: Incomplete → Confirmed
Sebastien Bacher (seb128) wrote :

The ubuntu team doesn't have the ressources to work on this specific issue but it would be nice if somebody could send the bug the to the people writting the software (https://wiki.ubuntu.com/Bugs/Upstream/GNOME)

Pedro Villavicencio (pedro) wrote :

Thanks for your bug report. This bug has been reported to the developers of the software. You can track it and make comments here: http://bugzilla.gnome.org/show_bug.cgi?id=590148

Changed in file-roller (Ubuntu):
status: Confirmed → Triaged
Changed in file-roller:
importance: Undecided → Unknown
status: New → Unknown
Changed in file-roller:
status: Unknown → New
Changed in file-roller:
importance: Unknown → Medium
security vulnerability: yes → no
Changed in file-roller:
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.