BugTraq
Re: Zip 2,31 bad default file-permissions vulnerability Aug 04 2005 12:01PM
Imran Ghory (imranghory gmail com) (2 replies)
Re: Zip 2,31 bad default file-permissions vulnerability Aug 04 2005 10:17PM
Stephen C Woods (scw seas ucla edu)
Re: Zip 2,31 bad default file-permissions vulnerability Aug 04 2005 01:27PM
Lupe Christoph (lupe lupe-christoph de)
Quoting Imran Ghory <imranghory (at) gmail (dot) com [email concealed]>:
> On 8/4/05, Lupe Christoph <lupe (at) lupe-christoph (dot) de [email concealed]> wrote:
> > Quoting Imran Ghory <imranghory (at) gmail (dot) com [email concealed]>:

> > > A zip file created by Zip 2.3.1 has the permissions 644 by default,
> > > Therefore any file compressed becomes world readable.

> > Zip 2.3 works correctly:
> > $ (umask 0; zip test.zip feedlist.opml; ls -l test.zip; rm test.zip)
> > adding: feedlist.opml (deflated 80%)
> > -rw-rw-rw- 1 lupe lupe 3156 Aug 4 10:52 test.zip

> A clarification: Zip obeys the umask, the example I gave was due to
> most unix distributions having a default umask which makes new files
> world readable. Contrast this with gzip/bzip2 which will ignore the
> umask and preserve the permissions of the file being compressed.

You may argue that a default umask of 022 is too permissive, but when
you do, be prepared for a lot of flak.

You should not compare zip to bzip or gzip even though the names are
similar but to tar. What should zip do when you pack multiple files
with differing permissions?

What zip does is entirely correct.

Lupe Christoph
--
| lupe (at) lupe-christoph (dot) de [email concealed] | http://www.lupe-christoph.de/ |
| "... putting a mail server on the Internet without filtering is like |
| covering yourself with barbecue sauce and breaking into the Charity |
| Home for Badgers with Rabies. Michael Lucas |

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus