Bugtraq mailing list archives
Re: Zip 2,31 bad default file-permissions vulnerability
From: Stephen C Woods <scw () seas ucla edu>
Date: Thu, 4 Aug 2005 15:17:35 -0700
One can make a very convincing for umask -the actual definition is real permission = (~umask & file-permissions), it's easy enough to modify your .profile/.login/.cshrc to add a line umask 77. The problem is the zip uses a default mode of 666 (not knowing anything about permissions by definition -it's a DOS program for Pete's sake, you know single user file server). <scw> On Thu, Aug 04, 2005 at 01:01:23PM +0100, Imran Ghory wrote:
On 8/4/05, Lupe Christoph <lupe () lupe-christoph de> wrote:Quoting Imran Ghory <imranghory () gmail com>:A zip file created by Zip 2.3.1 has the permissions 644 by default, Therefore any file compressed becomes world readable.Zip 2.3 works correctly: $ (umask 0; zip test.zip feedlist.opml; ls -l test.zip; rm test.zip) adding: feedlist.opml (deflated 80%) -rw-rw-rw- 1 lupe lupe 3156 Aug 4 10:52 test.zipA clarification: Zip obeys the umask, the example I gave was due to most unix distributions having a default umask which makes new files world readable. Contrast this with gzip/bzip2 which will ignore the umask and preserve the permissions of the file being compressed. Imran Ghory
-- ----- Stephen C. Woods; UCLA SEASnet; 2567 Boelter hall; LA CA 90095; (310)-825-8614 Unless otherwise noted these statements are my own, Not those of the University of California. Internet mail:scw () seas ucla edu
Current thread:
- Zip 2,31 bad default file-permissions vulnerability Imran Ghory (Aug 03)
- Re: Zip 2,31 bad default file-permissions vulnerability Lupe Christoph (Aug 04)
- Re: Zip 2,31 bad default file-permissions vulnerability Imran Ghory (Aug 04)
- Re: Zip 2,31 bad default file-permissions vulnerability Lupe Christoph (Aug 04)
- Re: Zip 2,31 bad default file-permissions vulnerability Stephen C Woods (Aug 05)
- Re: Zip 2,31 bad default file-permissions vulnerability Lupe Christoph (Aug 05)
- Message not available
- Re: Zip 2,31 bad default file-permissions vulnerability Imran Ghory (Aug 09)
- Re: Zip 2,31 bad default file-permissions vulnerability Imran Ghory (Aug 04)
- Re: Zip 2,31 bad default file-permissions vulnerability Lupe Christoph (Aug 04)