Bug 1158950

Summary: file reports "data" instead of "zip archive data" when archive contains unknown version byte value
Product: Red Hat Enterprise Linux 6 Reporter: Alex Sigachev <a.sigachev>
Component: fileAssignee: Jan Kaluža <jkaluza>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.6CC: a.sigachev
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-31 06:12:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alex Sigachev 2014-10-30 14:57:24 UTC 
Description of problem: 
Missing default statement in zip archive checks results in "data" reported instead of "Zip archive data", if tested archive have version byte (at offset 4) value other than listed in magic file.


Version-Release number of selected component (if applicable):
file.x86_64 0:5.04-21.el6

How reproducible:
always

Steps to Reproduce:
1. issue file command on .zip file that contains byte at offset 4 with any value not listed in "magic" file

Actual results: data


Expected results: Zip archive data


Additional info:
The issue causes amavisd to skip archive checks, so it is important on mailservers. It was found because we have received some pieces of zipped malware inside archives with version byte=0x15.

At least version 5.15-4.20.1 of the tool on openSUSE 13.1 don't have this bug.
below is a snippet from the end of magic file section that belongs to zip archives:

-----cut------
# Generic zip archives (Greg Roelofs, c/o zip-bugs.edu)
#   Next line excludes specialized formats:
>(26.s+30)	leshort>!0xcafe
>>26    string          !\x8\0\0\0mimetype	Zip archive data
!:mime<>application/zip
>>>4	byte		0x09		\b, at least v0.9 to extract
>>>4	byte		0x0a		\b, at least v1.0 to extract
>>>4	byte		0x0b		\b, at least v1.1 to extract
>>>4	byte		0x14		\b, at least v2.0 to extract
>>>4	byte		0x2d		\b, at least v3.0 to extract
>>>0x161	string		WINZIP		\b, WinZIP self-extracting
-----cut------
This causes duplication of the "Zip archive data" phrase on normal zip files, but at least amavisd works well.
Comment 2 Jan Kaluža 2014-10-31 06:12:34 UTC 
This is duplicate of Bug 1154802.

*** This bug has been marked as a duplicate of bug 1154802 ***