Denial of service through decompression bombs
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| File Roller |
Confirmed
|
Medium
|
|||
| file-roller (Ubuntu) |
Triaged
|
Low
|
Ubuntu Desktop Bugs | ||
Bug Description
Decompression bombs, which result from a small file being uncompressed into a bigger one, can freeze the current application such as a browser, virus scanner, search tool and create system instability. More information about this can be found here:
http://
Sorry if this is already known of/unpreventable, but it can really harm and freeze a computer, depending on the size of the compressed file. Examples are available off the previous link.
Expected Behavior: An alert shown to the user, earlier termination of the application opening such file, or end in processing of that file.
Actual behavior: Application freezes (ui) and eventually the whole system starts lagging. Perhaps applications should have a "maximum cpu usage allowed" or something like that?
| Oleg Vaskevich (olegv) wrote | #1 |
| Michael Nagel (nailor) wrote | #2 |
| Changed in file-roller: | |
| assignee: | nobody → desktop-bugs |
| importance: | Undecided → Low |
| Changed in file-roller: | |
| status: | Incomplete → Confirmed |
| Sebastien Bacher (seb128) wrote | #4 |
| Pedro Villavicencio (pedro) wrote | #5 |
| Changed in file-roller (Ubuntu): | |
| status: | Confirmed → Triaged |
| Changed in file-roller: | |
| importance: | Undecided → Unknown |
| status: | New → Unknown |
| Changed in file-roller: | |
| status: | Unknown → New |
| Changed in file-roller: | |
| importance: | Unknown → Medium |
| security vulnerability: | yes → no |
| Changed in file-roller: | |
| status: | New → Confirmed |
The images can freeze the browser while the text files can freeze the text editor. Password to open those archives is AERAsec (specified in the read me file.) Again, this may be worthless and uncommon, but something that can unintentially freeze a browser and possibly the system can be dangerous.