Bugtraq mailing list archives

Re: Zip 2,31 bad default file-permissions vulnerability

From: Lupe Christoph <lupe () lupe-christoph de>
Date: Thu, 4 Aug 2005 10:53:55 +0200

Quoting Imran Ghory <imranghory () gmail com>:

A zip file created by Zip 2.3.1 has the permissions 644 by default,
Therefore any file compressed becomes world readable.


Zip 2.3 works correctly:
$ (umask 0; zip test.zip feedlist.opml; ls -l test.zip; rm test.zip)
  adding: feedlist.opml (deflated 80%)
-rw-rw-rw-    1 lupe     lupe         3156 Aug  4 10:52 test.zip
$ (umask 077; zip test.zip feedlist.opml; ls -l test.zip; rm test.zip)
  adding: feedlist.opml (deflated 80%)
-rw-------    1 lupe     lupe         3156 Aug  4 10:52 test.zip

HTH,
Lupe Christoph
-- 
| lupe () lupe-christoph de       |           http://www.lupe-christoph.de/ |
| "... putting a mail server on the Internet without filtering is like   |
| covering yourself with barbecue sauce and breaking into the Charity    |
| Home for Badgers with Rabies.                            Michael Lucas |

Current thread:

Zip 2,31 bad default file-permissions vulnerability Imran Ghory (Aug 03)
- Re: Zip 2,31 bad default file-permissions vulnerability Lupe Christoph (Aug 04)
  - Re: Zip 2,31 bad default file-permissions vulnerability Imran Ghory (Aug 04)
    - Re: Zip 2,31 bad default file-permissions vulnerability Lupe Christoph (Aug 04)
    - Re: Zip 2,31 bad default file-permissions vulnerability Stephen C Woods (Aug 05)
    - Re: Zip 2,31 bad default file-permissions vulnerability Lupe Christoph (Aug 05)
    - Message not available
    - Re: Zip 2,31 bad default file-permissions vulnerability Imran Ghory (Aug 09)