Bug 54647

Summary: remote file access/damage
Product: [Retired] Red Hat Linux Reporter: Graham Houston <houston>
Component: unzipAssignee: Trond Eivind Glomsrxd <teg>
Status: CLOSED NOTABUG QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: high    
Version: 6.2Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2001-10-15 12:53:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Graham Houston 2001-10-15 12:53:16 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)

Description of problem:
a user can modify the zipped file in order to do damage to the file system

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1.Create a Win/Dos PKZIP file
2.alter the binary files and change the file/directory strings 
3.unzip the file on your linux box
4.and you can replace /etc/passwd etc with a file in the zip file?
	

Actual Results:  I was able to replace any file on the linux box that I 
owned, with
the content of the archived file that had its file string changed

example (../../../../../../etc/passwd)

Expected Results:  this should no be allowed to happen

Additional info:

this can cause a lot of damage to any linux box?
Comment 1 Trond Eivind Glomsrxd 2001-10-17 15:55:39 UTC 
Unpacking archives can overwrite files if you're not careful about where you
unpack it and what files it contains - this is not a bug, it's a user education
issue.
Comment 2 Need Real Name 2002-08-25 11:47:28 UTC 
It is a bug.

See http://www.info-zip.org/FAQ.html

UnZip 5.42 and earlier
virtually all
All versions of UnZip through 5.42 have a directory-traversal vulnerability 
that allows them to unpack files in unexpected places. Specifically, if an 
archive contains files with leading "/" characters (i.e., relative to the 
top-level/root directory) or with ".." components ("previous directory 
level"), UnZip will unpack the files in the indicated locations, possibly 
creating directory trees in the process--and, if the -o ("overwrite") 
option is given, quietly destroying existing files outside the intended 
directory tree. This is fixed in version 5.50, and a patch (slight 
overkill, but apparently effective) is available on the Bugtraq page that 
reported the problem. (Thanks to Anya Berdichevskaya for the pointer.)