Rubyzip is vulnerable to denial of service (DoS) attacks. The zip file entry extract method does not check or limit the file size at the time of extraction, allowing attackers to provide malicious ZIP file entries (aka) ZIP Bomb with spoofed uncompressed sizes to consume disk space at the time of extraction.
github.com/rubyzip/rubyzip/commit/d65fe7bd283ec94f9d6dc7605f61a6b0dd00f55e
github.com/rubyzip/rubyzip/pull/403
lists.fedoraproject.org/archives/list/[email protected]/message/J45KSFPP6DFVWLC7Z73L7SX735CKZYO6/
lists.fedoraproject.org/archives/list/[email protected]/message/MWWPORMSBHZTMP4PGF4DQD22TTKBQMMC/
lists.fedoraproject.org/archives/list/[email protected]/message/X255K6ZBAQC462PQN2ND5HOTTQEJ2G2X/