While rebuilding archiva RPM package, I noticed some openSUSE systems to complains about invalid jar file for activation-1.1.1.jar
Unzip indicate an error :
unzip -t activation-1.1.1.jar
Archive: activation-1.1.1.jar
testing: META-INF/ bad extra-field entry:
EF block length (0 bytes) invalid (< 4)
testing: META-INF/MANIFEST.MF OK
Same for zip
zip -T activation-1.1.1.jar
META-INF/ bad extra-field entry:
EF block length (0 bytes) invalid (< 4)
test of activation-1.1.1.jar FAILED
zip error: Zip file invalid, could not spawn unzip, or wrong unzip (original files unmodified)
It seems related to CVE-2014-8139, referenced by RH for example :
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-8139
unzip/zip protection patch seems incorrect and not applied everywhere, for example Mint 17.1 didn’t complain.
If you’re using zip/unzip to check jar consistency, take care that some jars could be reported as invalid whereas they are perfectly fine.
More and more jars/wars are reported invalid, mysql-connector-java-5.1.31.jar or gitbucket-2.8.war are reported with errors too.