While rebuilding archiva RPM package, I noticed some openSUSE systems to complains about invalid jar file for activation-1.1.1.jar
Unzip indicate an error :
unzip -t activation-1.1.1.jar Archive: activation-1.1.1.jar testing: META-INF/ bad extra-field entry: EF block length (0 bytes) invalid (< 4) testing: META-INF/MANIFEST.MF OK
Same for zip
zip -T activation-1.1.1.jar META-INF/ bad extra-field entry: EF block length (0 bytes) invalid (< 4) test of activation-1.1.1.jar FAILED zip error: Zip file invalid, could not spawn unzip, or wrong unzip (original files unmodified)
It seems related to CVE-2014-8139, referenced by RH for example :
unzip/zip protection patch seems incorrect and not applied everywhere, for example Mint 17.1 didn’t complain.
If you’re using zip/unzip to check jar consistency, take care that some jars could be reported as invalid whereas they are perfectly fine.
More and more jars/wars are reported invalid, mysql-connector-java-5.1.31.jar or gitbucket-2.8.war are reported with errors too.