diffoscope/137+205 ADT test failure in Focal/Jammy
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
diffoscope (Ubuntu) |
New
|
Undecided
|
Unassigned | ||
Focal |
New
|
Undecided
|
Unassigned | ||
Jammy |
New
|
Undecided
|
Unassigned | ||
linux (Ubuntu) |
New
|
Undecided
|
Unassigned | ||
Focal |
Invalid
|
Undecided
|
Unassigned | ||
Jammy |
Invalid
|
Undecided
|
Unassigned |
Bug Description
This is a scripted bug report about ADT failures while running diffoscope tests for linux/5.
Testing failed on:
amd64: https:/
arm64: https:/
armhf: https:/
ppc64el: https:/
s390x: https:/
CVE References
tags: | added: kernel-adt-failure |
Changed in linux (Ubuntu Focal): | |
status: | New → Invalid |
Changed in linux (Ubuntu Jammy): | |
status: | New → Invalid |
I was investigating this for 20.04/Focal but assuming this is the same for 22.04/Jammy. The logs show 4 subtests around zip files failing. The in the details for the failures one sees this:
raise BadZipFile( f"Overlapped entries: {zinfo. orig_filename! r} (possible zip bomb)")
This correlates with a recent (Jul-09) update for python3.8 and 3.10:
* SECURITY UPDATE: zipbomb DoS attack patches/ CVE-2024- 0450.patch: raise BadZipFile when trying
- debian/
to read an entry that overlaps with other entry or central
directory.
- CVE-2024-0450
The test files in diffoscope seem to trigger this and bail.