lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1123162020.42f217a4d5834@buexe.b-5.de>
Date: Thu,  4 Aug 2005 15:27:00 +0200
From: Lupe Christoph <lupe@...e-christoph.de>
To: Imran Ghory <imranghory@...il.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: Zip 2,31 bad default file-permissions vulnerability


Quoting Imran Ghory <imranghory@...il.com>:
> On 8/4/05, Lupe Christoph <lupe@...e-christoph.de> wrote:
> > Quoting Imran Ghory <imranghory@...il.com>:

> > > A zip file created by Zip 2.3.1 has the permissions 644 by default,
> > > Therefore any file compressed becomes world readable.

> > Zip 2.3 works correctly:
> > $ (umask 0; zip test.zip feedlist.opml; ls -l test.zip; rm test.zip)
> >  adding: feedlist.opml (deflated 80%)
> > -rw-rw-rw-    1 lupe     lupe         3156 Aug  4 10:52 test.zip

> A clarification: Zip obeys the umask, the example I gave was due to
> most unix distributions having a default umask which makes new files
> world readable. Contrast this with gzip/bzip2 which will ignore the
> umask and preserve the permissions of the file being compressed.

You may argue that a default umask of 022 is too permissive, but when
you do, be prepared for a lot of flak.

You should not compare zip to bzip or gzip even though the names are
similar but to tar. What should zip do when you pack multiple files
with differing permissions?

What zip does is entirely correct.

Lupe Christoph
-- 
| lupe@...e-christoph.de       |           http://www.lupe-christoph.de/ |
| "... putting a mail server on the Internet without filtering is like   |
| covering yourself with barbecue sauce and breaking into the Charity    |
| Home for Badgers with Rabies.                            Michael Lucas | 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ