Bugtraq: Re: Zip 2,31 bad default file-permissions vulnerability

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq mailing list archives

Re: Zip 2,31 bad default file-permissions vulnerability

From: Imran Ghory <imranghory () gmail com>
Date: Thu, 4 Aug 2005 13:01:23 +0100

On 8/4/05, Lupe Christoph <lupe () lupe-christoph de> wrote:

Quoting Imran Ghory <imranghory () gmail com>:

A zip file created by Zip 2.3.1 has the permissions 644 by default,
Therefore any file compressed becomes world readable.


Zip 2.3 works correctly:
$ (umask 0; zip test.zip feedlist.opml; ls -l test.zip; rm test.zip)
 adding: feedlist.opml (deflated 80%)
-rw-rw-rw-    1 lupe     lupe         3156 Aug  4 10:52 test.zip


A clarification: Zip obeys the umask, the example I gave was due to
most unix distributions having a default umask which makes new files
world readable. Contrast this with gzip/bzip2 which will ignore the
umask and preserve the permissions of the file being compressed.

Imran Ghory

By Date By Thread

Current thread:

Zip 2,31 bad default file-permissions vulnerability Imran Ghory (Aug 03)
- Re: Zip 2,31 bad default file-permissions vulnerability Lupe Christoph (Aug 04)
  - Re: Zip 2,31 bad default file-permissions vulnerability Imran Ghory (Aug 04)
    - Re: Zip 2,31 bad default file-permissions vulnerability Lupe Christoph (Aug 04)
    - Re: Zip 2,31 bad default file-permissions vulnerability Stephen C Woods (Aug 05)
    - Re: Zip 2,31 bad default file-permissions vulnerability Lupe Christoph (Aug 05)
    - Message not available
    - Re: Zip 2,31 bad default file-permissions vulnerability Imran Ghory (Aug 09)