| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 4 Aug 2005 15:27:00 +0200 From: Lupe Christoph <lupe@...e-christoph.de> To: Imran Ghory <imranghory@...il.com> Cc: bugtraq@...urityfocus.com Subject: Re: Zip 2,31 bad default file-permissions vulnerability Quoting Imran Ghory <imranghory@...il.com>: > On 8/4/05, Lupe Christoph <lupe@...e-christoph.de> wrote: > > Quoting Imran Ghory <imranghory@...il.com>: > > > A zip file created by Zip 2.3.1 has the permissions 644 by default, > > > Therefore any file compressed becomes world readable. > > Zip 2.3 works correctly: > > $ (umask 0; zip test.zip feedlist.opml; ls -l test.zip; rm test.zip) > > adding: feedlist.opml (deflated 80%) > > -rw-rw-rw- 1 lupe lupe 3156 Aug 4 10:52 test.zip > A clarification: Zip obeys the umask, the example I gave was due to > most unix distributions having a default umask which makes new files > world readable. Contrast this with gzip/bzip2 which will ignore the > umask and preserve the permissions of the file being compressed. You may argue that a default umask of 022 is too permissive, but when you do, be prepared for a lot of flak. You should not compare zip to bzip or gzip even though the names are similar but to tar. What should zip do when you pack multiple files with differing permissions? What zip does is entirely correct. Lupe Christoph -- | lupe@...e-christoph.de | http://www.lupe-christoph.de/ | | "... putting a mail server on the Internet without filtering is like | | covering yourself with barbecue sauce and breaking into the Charity | | Home for Badgers with Rabies. Michael Lucas |
Powered by blists - more mailing lists