unzip security update leads to extracting errors

Bug #1513293 reported by Owen Paul Thomas on 2015-11-05
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
unzip (Ubuntu)
High
Marc Deslauriers
Precise
High
Marc Deslauriers
Trusty
High
Marc Deslauriers
Vivid
High
Marc Deslauriers
Wily
High
Marc Deslauriers
Xenial
High
Marc Deslauriers

Bug Description

This problem appears to have spontaneously arisen for me in 14.4.

I am using the following version of file-roller to manage archives of an SVN code base:

$ apt-cache policy file-roller
file-roller:
  Installed: 3.10.2.1-0ubuntu4.1
  Candidate: 3.10.2.1-0ubuntu4.1
  Version table:
 *** 3.10.2.1-0ubuntu4.1 0
        500 http://au.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     3.10.2.1-0ubuntu4 0
        500 http://au.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

This application has suddenly decided to display the "An error occurred when extracting files" dialogue when accessing any of my archives - some dating back to July. I have tried copies of my archives from multiple media, and they all appear to have the same problem.

More specifically, there is at least one file (/svn/db/write-lock) in this code base that has the problem when I extract files manually. It is zero bytes in length and displays a lock icon along with every other file - I conclude this is because, like all the other files, it would be encrypted if it contained any data.

Hence, my problem appears to be a problem with the Archive Manager itself, and may have arisen from changes consequent to my last software update.

I try to unzip an archive from the command line and get the following:

$ unzip 2015-10-18.zip -d ~
Archive: 2015-10-18.zip
   creating: /home/owen/svn/
[2015-10-18.zip] svn/format password:
 extracting: /home/owen/svn/format
  inflating: /home/owen/svn/README.txt
   creating: /home/owen/svn/db/
 extracting: /home/owen/svn/db/current
 extracting: /home/owen/svn/db/format

  error: invalid compressed data to inflate

I can extract the archive without incident on an old windows machine and have put comments about my problem to the Ubuntu forums, but have yet to receive an answer that would reasonably accord with the problem I am experiencing.

I am perhaps just a little anxious, but relieved somewhat that I can still access my archives from another computer. Help would be much appreciated.

Thank you for taking the time to report this bug and helping to make Ubuntu better. It seems that your bug report is not filed about a specific source package though, rather it is just filed against Ubuntu in general. It is important that bug reports be filed about source packages so that people interested in the package can find the bugs about it. You can find some hints about determining what package your bug might be about at https://wiki.ubuntu.com/Bugs/FindRightPackage. You might also ask for help in the #ubuntu-bugs irc channel on Freenode.

To change the source package that this bug is filed about visit https://bugs.launchpad.net/ubuntu/+bug/1513293/+editstatus and add the package name in the text box next to the word Package.

[This is an automated message. I apologize if it reached you inappropriately; please just reply to this message indicating so.]

tags: added: bot-comment
affects: ubuntu → file-roller (Ubuntu)
Sebastien Bacher (seb128) wrote :

Thank you for your bug report. There was a recent security update to unzip
https://launchpad.net/ubuntu/+source/unzip/6.0-9ubuntu1.4

could you try reverting it to the previous version (https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/6987027/+files/unzip_6.0-9ubuntu1.3_amd64.deb) and see if that resolves your issue?

Is there any chance you could add a small example of problematic file to the bug (is the issue specific your SVN backups or impacting other zips as well?)

Changed in file-roller (Ubuntu):
importance: Undecided → High
status: New → Incomplete

Thanks for your help. I am sorry that (for obvious reasons) I cannot submit my code base.

I can guess that the problem could be due to the SVN repo file structure creating conditions which cause the error - at least that is what the symptoms suggest to me. If you would like me to create a new SVN repo, I might be able to do this, but I am assuming that you would know how to do this too. I am using SVN through Netbeans (although I think my repo was created on an earlier version of SVN than the one prebundled with the version of Netbeans I am using).

A quick look at the SVN plugin in my version of Netbeans contains the following information:

Version: 1.37.1.42.1
Source: NetBeans IDE 8.0.2 (Build 201411181905).

I do not archive anything else - I use the archiving utility primarily for the encryption.

Sebastien Bacher (seb128) wrote :

No worry about not sharing your archive, could you try if installing the old version fixes your issue though?

Philip (k8-ubuntu) wrote :

I'm having the same issue with unzip-6.0-9ubuntu1.4.
Downgrading to 6.0-9ubuntu1.3 resolves it.

Sebastien Bacher (seb128) wrote :

thanks, that seems a regression with the unzip security update then

affects: file-roller (Ubuntu) → unzip (Ubuntu)
Changed in unzip (Ubuntu):
status: Incomplete → New
summary: - Archive Manager has spontaneously stopped working on all archives.
+ unzip security update leads extracting errors
summary: - unzip security update leads extracting errors
+ unzip security update leads to extracting errors
Marc Deslauriers (mdeslaur) wrote :

Thanks for reporting this issue.

Is anyone able to give me an example of a problematic zip file, either in this bug, or in private?

tags: added: regression-update

Ummm... it looks like a novice needs someone to hold his hand...

I tried to find out how to revert to an earlier version, but I have had no luck as yet. I would like to do what Sebastien asked of me, but I want to tread carefully so as not to break my Ubuntu. I imagine that very few things would frustrate me more, and I don't want these frustrations to escape my imagination.

Seth Arnold (seth-arnold) wrote :

Owen, to see which versions of unzip can be easily installed, run: apt-cache show unzip | grep ^Version

Then use apt-get install unzip=version --- replace the "version" with an older version number.

On my system it looks like:
$ apt-cache show unzip | grep ^Version
Version: 6.0-9ubuntu1.4
Version: 6.0-9ubuntu1
$ sudo apt-get install unzip=6.0-9ubuntu1
Reading package lists... Done
Building dependency tree
Reading state information... Done
...
The following packages will be DOWNGRADED:
  unzip
0 upgraded, 0 newly installed, 1 downgraded, 0 to remove and 22 not upgraded.
Need to get 193 kB of archives.
After this operation, 5,120 B disk space will be freed.
Do you want to continue? [Y/n]
...
Setting up unzip (6.0-9ubuntu1) ...

Once you're done with your testing, a new 'apt-get upgrade' should bring your unzip back to the newest.

Thanks

Thanks Seth. I'll give it a go, and hopefully I'll get back with the news we're both hoping for...

Well, that was quite easy. After I reverted unzip, I successfully extracted the code base, and checked out the most recent revision.

Thumbs up!

Seth Arnold (seth-arnold) wrote :

Owen, thanks; any chance you could create a new svn repo, do whatever it is you do to create the zip file, and see if that recreates the issue? We can't find a zip file that demonstrates any issues and having one would help.

Thanks

I created the attached zip file containing a new svn repo. The password to this archive is UnzipBug.

On my computer I found that unzip gave up as reported. I then reverted as instructed by Seth and found that the problem did not appear.

I hope the problem is reproducible.

Marc Deslauriers (mdeslaur) wrote :

Thanks, I can reproduce the issue with the zipfile in attachment #13. The issue is caused by the 16-fix-integer-underflow-csiz-decrypted patch breaking support for 0-byte files because "if (csiz_decrypted <= 12)" should be "if (csiz_decrypted < 12)".

I'll prepare a regression fix. Thanks!

Changed in unzip (Ubuntu Precise):
status: New → Confirmed
Changed in unzip (Ubuntu Trusty):
status: New → Confirmed
Changed in unzip (Ubuntu Vivid):
status: New → Confirmed
Changed in unzip (Ubuntu Wily):
status: New → Confirmed
Changed in unzip (Ubuntu Xenial):
status: New → Confirmed
Changed in unzip (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in unzip (Ubuntu Trusty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in unzip (Ubuntu Vivid):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in unzip (Ubuntu Wily):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in unzip (Ubuntu Xenial):
assignee: nobody → Marc Deslauriers (mdeslaur)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unzip - 6.0-17ubuntu1.2

---------------
unzip (6.0-17ubuntu1.2) wily-security; urgency=medium

  * debian/patches/16-fix-integer-underflow-csiz-decrypted: updated to fix
    regression in handling 0-byte files (LP: #1513293)

 -- Marc Deslauriers <email address hidden> Mon, 09 Nov 2015 09:08:12 -0600

Changed in unzip (Ubuntu Wily):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unzip - 6.0-13ubuntu3.2

---------------
unzip (6.0-13ubuntu3.2) vivid-security; urgency=medium

  * debian/patches/16-fix-integer-underflow-csiz-decrypted: updated to fix
    regression in handling 0-byte files (LP: #1513293)

 -- Marc Deslauriers <email address hidden> Mon, 09 Nov 2015 09:14:34 -0600

Changed in unzip (Ubuntu Vivid):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unzip - 6.0-9ubuntu1.5

---------------
unzip (6.0-9ubuntu1.5) trusty-security; urgency=medium

  * debian/patches/16-fix-integer-underflow-csiz-decrypted: updated to fix
    regression in handling 0-byte files (LP: #1513293)

 -- Marc Deslauriers <email address hidden> Mon, 09 Nov 2015 09:16:57 -0600

Changed in unzip (Ubuntu Trusty):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unzip - 6.0-4ubuntu2.5

---------------
unzip (6.0-4ubuntu2.5) precise-security; urgency=medium

  * debian/patches/16-fix-integer-underflow-csiz-decrypted: updated to fix
    regression in handling 0-byte files (LP: #1513293)

 -- Marc Deslauriers <email address hidden> Mon, 09 Nov 2015 09:17:52 -0600

Changed in unzip (Ubuntu Precise):
status: Confirmed → Fix Released
Changed in unzip (Ubuntu Precise):
importance: Undecided → High
Changed in unzip (Ubuntu Trusty):
importance: Undecided → High
Changed in unzip (Ubuntu Vivid):
importance: Undecided → High
Changed in unzip (Ubuntu Wily):
importance: Undecided → High
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unzip - 6.0-19ubuntu2

---------------
unzip (6.0-19ubuntu2) xenial; urgency=medium

  * debian/patches/16-fix-integer-underflow-csiz-decrypted: updated to fix
    regression in handling 0-byte files (LP: #1513293)

 -- Marc Deslauriers <email address hidden> Mon, 09 Nov 2015 08:51:17 -0600

Changed in unzip (Ubuntu Xenial):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Bug attachments