Bug 740012

Summary: unzip creates a link instead of extracting the file for some .zip archives
Product: Red Hat Enterprise Linux 6 Reporter: Scott Eikenberry <scotte>
Component: unzipAssignee: Petr Stodulka <pstodulk>
Status: CLOSED ERRATA QA Contact: Robin Hack <rhack>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.4CC: ovasik, psklenar, rhack, scotte
Target Milestone: rcKeywords: Patch
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: unzip-6.0-3.el6 Doc Type: Bug Fix
Doc Text:
Cause: There was missing initialisation of symlink flag in information about entry (file). Consequence: When archive contains more then 16k entries and one of the 16k entries is reused & symlink is presented, some another entries can be presented wrong as symlinks instead of regular files. Fix: Added missing initialisation of symlink flag. Result: Regular files are not evaluated as symlinks anymore.
 Story Points: ---
Clone Of:
: 1276746 (view as bug list) Environment:
Last Closed: 2015-12-15 16:36:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1254457    
Attachments:
Description Flags
Undertaken patch none

Description Scott Eikenberry 2011-09-20 17:06:26 UTC 
Description of problem:

There is  a problem with unzip 6.0 that did not occur with unzip 5.5.  We have noticed that some Zip files when extracted put in bad symbolic links where there should be a file.  This has happened recently with a few McAfee DAT files.

The orginal DAT zip file can be fetched from McAfee.

Here is the version info:

$ unzip -h
UnZip 6.00 of 20 April 2009, by Info-ZIP.  Maintained by C. Spieler.  Send
bug reports using http://www.info-zip.org/zip-bug.html; see README for details.

$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.0 (Santiago)

Here is a listing of the zip contents:

$unzip -v avvdat-6473.zip
Archive:  avvdat-6473.zip
Length   Method    Size  Cmpr    Date    Time   CRC-32   Name
--------  ------  ------- ---- ---------- ----- --------  ----
    8689  Defl:X     3410  61% 09-18-2011 06:40 22147a15  legal.txt
  624369  Stored   624369   0% 09-18-2011 06:40 7b442ef4  avvclean.dat
  438737  Stored   438737   0% 09-18-2011 06:40 af4df8f3  avvnames.dat
116665550  Stored 116665550   0% 09-18-2011 06:40 3918b107  avvscan.dat
--------          -------  ---                            -------
117737345         117732066   0%                            4 files

Here is the output of the zip extraction (notice the "linking"):
$ unzip \avvdat-6473.zip
Archive:  avvdat-6473.zip
  inflating: legal.txt
extracting: avvclean.dat
extracting: avvnames.dat
    linking: avvscan.dat             -> Copyright (c) McAfee DAT file^Z^A
finishing deferred symbolic links:
  avvscan.dat            -> Copyright (c) McAfee DAT file^Z^A

Here is what the extracted files from the ZIP look like:

$ ls -la
total 116168
drwxr-xr-x 2 sde stage      4096 Sep 20 00:49 .
drwxr-xr-x 3 sde stage      4096 Sep 20 00:46 ..
-rw-r--r-- 1 sde stage    624369 Sep 18 06:40 avvclean.dat
-rw-r--r-- 1 sde stage 117732659 Sep 20 00:47 avvdat-6473.zip
-rw-r--r-- 1 sde stage    438737 Sep 18 06:40 avvnames.dat
lrwxrwxrwx 1 sde stage        31 Sep 20 00:49 avvscan.dat -> Copyright (c) McAfee DAT file??
-rw-r--r-- 1 sde stage      8689 Sep 18 06:40 legal.txt

It appears the Debian bug forum has listed and fixed this same issue:
<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=630078>
Comment 2 RHEL Program Management 2011-09-20 17:29:30 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unfortunately unable to
address this request at this time. Red Hat invites you to
ask your support representative to propose this request, if
appropriate and relevant, in the next release of Red Hat
Enterprise Linux. If you would like it considered as an
exception in the current release, please ask your support
representative.
Comment 3 RHEL Program Management 2012-09-07 05:09:44 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unable to address this
request at this time.

Red Hat invites you to ask your support representative to
propose this request, if appropriate, in the next release of
Red Hat Enterprise Linux.
Comment 4 Petr Stodulka 2013-10-21 07:52:20 UTC 
Created attachment 814455 [details]
Undertaken patch

http://article.gmane.org/gmane.comp.version-control.git/181173
Comment 5 Petr Stodulka 2013-10-21 08:45:51 UTC 
For reproduce:
wget https://github.com/mono/mono/archive/master.zip
unzip master.zip
[....]
finishing deferred symbolic links:

mono-master/mcs/class/System.Configuration/System.Configuration_test_net_2_0.dll.config
-> Test/App.config

mono-master/mcs/class/System.Configuration/System.Configuration_test_net_4_0.dll.config
-> Test/App.config

mono-master/mcs/class/System.Configuration/System.Configuration_test_net_4_5.dll.config
-> Test/App.config

mono-master/mcs/class/System.Web/Test/mainsoft/MainsoftWebApp/System_Web_UI_WebControls/DataGridColumn/DataGridColumn_HeaderText.aspx
-> <%@ Page Language="c#" AutoEventWireup="false"
[... more cruft from the contents of the file ...]
---------------------------------------
And errmsg "Filename too long". 
Added patch in attachment.
Comment 11 errata-xmlrpc 2015-12-15 16:36:27 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2648.html