Rico's Blog


OSS activist, ASF Member, former Tomcat contributor, founder of JPackage, DevOps Incubator and OBuildFactory projects. Dev, QA and Ops.


CVE-2014-8139 and activation-1.1.1.jar

info-zip

While rebuilding archiva RPM package, I noticed some openSUSE systems to complains about invalid jar file for activation-1.1.1.jar

Unzip indicate an error :

unzip -t activation-1.1.1.jar
Archive:  activation-1.1.1.jar
    testing: META-INF/               bad extra-field entry:
      EF block length (0 bytes) invalid (< 4)
    testing: META-INF/MANIFEST.MF     OK

Same for zip

zip -T activation-1.1.1.jar
META-INF/              bad extra-field entry:
      EF block length (0 bytes) invalid (< 4)
test of activation-1.1.1.jar FAILED
zip error: Zip file invalid, could not spawn unzip, or wrong unzip (original files unmodified)

It seems related to CVE-2014-8139, referenced by RH for example :

unzip/zip protection patch seems incorrect and not applied everywhere, for example Mint 17.1 didn’t complain.

If you’re using zip/unzip to check jar consistency, take care that some jars could be reported as invalid whereas they are perfectly fine.

More and more jars/wars are reported invalid, mysql-connector-java-5.1.31.jar or gitbucket-2.8.war are reported with errors too.

comments powered by Disqus