Bugtraq mailing list archives
Re: Zip 2,31 bad default file-permissions vulnerability
From: Imran Ghory <imranghory () gmail com>
Date: Thu, 4 Aug 2005 13:01:23 +0100
On 8/4/05, Lupe Christoph <lupe () lupe-christoph de> wrote:
Quoting Imran Ghory <imranghory () gmail com>:A zip file created by Zip 2.3.1 has the permissions 644 by default, Therefore any file compressed becomes world readable.Zip 2.3 works correctly: $ (umask 0; zip test.zip feedlist.opml; ls -l test.zip; rm test.zip) adding: feedlist.opml (deflated 80%) -rw-rw-rw- 1 lupe lupe 3156 Aug 4 10:52 test.zip
A clarification: Zip obeys the umask, the example I gave was due to most unix distributions having a default umask which makes new files world readable. Contrast this with gzip/bzip2 which will ignore the umask and preserve the permissions of the file being compressed. Imran Ghory
Current thread:
- Zip 2,31 bad default file-permissions vulnerability Imran Ghory (Aug 03)
- Re: Zip 2,31 bad default file-permissions vulnerability Lupe Christoph (Aug 04)
- Re: Zip 2,31 bad default file-permissions vulnerability Imran Ghory (Aug 04)
- Re: Zip 2,31 bad default file-permissions vulnerability Lupe Christoph (Aug 04)
- Re: Zip 2,31 bad default file-permissions vulnerability Stephen C Woods (Aug 05)
- Re: Zip 2,31 bad default file-permissions vulnerability Lupe Christoph (Aug 05)
- Message not available
- Re: Zip 2,31 bad default file-permissions vulnerability Imran Ghory (Aug 09)
- Re: Zip 2,31 bad default file-permissions vulnerability Imran Ghory (Aug 04)
- Re: Zip 2,31 bad default file-permissions vulnerability Lupe Christoph (Aug 04)