Bug#775640: libarchive-zip-perl: FTBFS: Tests failure (unzip/CVE-2014-8139 regression?)
Santiago Vila
sanvila at unex.es
Fri Jan 30 10:16:30 UTC 2015
On Fri, 30 Jan 2015, Niko Tyni wrote:
> [...]
> I note that this is Debian specific as we add jar.zip in our patch for
> #654899. Upstream Archive-Zip doesn't have a jar file in their test
> suite at all.
>
> Andrew Gallagher's comment in
> https://bugzilla.redhat.com/show_bug.cgi?id=1174844
> is topical:
>
> I think this patch is causing "unzip -t" to now fail on executable
> JARs, which added the additional executable-jar extra field
> (http://stackoverflow.com/tags/executable-jar/info).
>
> FWIW I get similar 'unzip -t' failures with lots of .jar
> files on my system including jre system files like
> /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/ext/dnsns.jar .
>
> I'm cc'ing unzip maintainer Santiago and the security team.
> Do you think this is a regression in unzip that should be fixed, or
> should we just work around it in libarchive-zip-perl (probably by
> disabling the relevant test)?
I'll ask the author.
More information about the pkg-perl-maintainers
mailing list