Bugtraq mailing list archives
Re: Zip 2,31 bad default file-permissions vulnerability
From: Lupe Christoph <lupe () lupe-christoph de>
Date: Thu, 4 Aug 2005 15:27:00 +0200
Quoting Imran Ghory <imranghory () gmail com>:
On 8/4/05, Lupe Christoph <lupe () lupe-christoph de> wrote:Quoting Imran Ghory <imranghory () gmail com>:
A zip file created by Zip 2.3.1 has the permissions 644 by default, Therefore any file compressed becomes world readable.
Zip 2.3 works correctly: $ (umask 0; zip test.zip feedlist.opml; ls -l test.zip; rm test.zip) adding: feedlist.opml (deflated 80%) -rw-rw-rw- 1 lupe lupe 3156 Aug 4 10:52 test.zip
A clarification: Zip obeys the umask, the example I gave was due to most unix distributions having a default umask which makes new files world readable. Contrast this with gzip/bzip2 which will ignore the umask and preserve the permissions of the file being compressed.
You may argue that a default umask of 022 is too permissive, but when you do, be prepared for a lot of flak. You should not compare zip to bzip or gzip even though the names are similar but to tar. What should zip do when you pack multiple files with differing permissions? What zip does is entirely correct. Lupe Christoph -- | lupe () lupe-christoph de | http://www.lupe-christoph.de/ | | "... putting a mail server on the Internet without filtering is like | | covering yourself with barbecue sauce and breaking into the Charity | | Home for Badgers with Rabies. Michael Lucas |
Current thread:
- Zip 2,31 bad default file-permissions vulnerability Imran Ghory (Aug 03)
- Re: Zip 2,31 bad default file-permissions vulnerability Lupe Christoph (Aug 04)
- Re: Zip 2,31 bad default file-permissions vulnerability Imran Ghory (Aug 04)
- Re: Zip 2,31 bad default file-permissions vulnerability Lupe Christoph (Aug 04)
- Re: Zip 2,31 bad default file-permissions vulnerability Stephen C Woods (Aug 05)
- Re: Zip 2,31 bad default file-permissions vulnerability Lupe Christoph (Aug 05)
- Message not available
- Re: Zip 2,31 bad default file-permissions vulnerability Imran Ghory (Aug 09)
- Re: Zip 2,31 bad default file-permissions vulnerability Imran Ghory (Aug 04)
- Re: Zip 2,31 bad default file-permissions vulnerability Lupe Christoph (Aug 04)