Bug 175937 - zip allows no password deleting from password protected file
Summary: zip allows no password deleting from password protected file
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: zip   
(Show other bugs)
Version: 4
Hardware: i386 Linux
medium
medium
Target Milestone: ---
Assignee: Ivana Varekova
QA Contact: Ben Levenson
URL:
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-12-16 15:41 UTC by p thompson
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-01-05 08:29:03 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description p thompson 2005-12-16 15:41:40 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7

Description of problem:
zip allows files to be deleted from password protected zip files without knowing the password.


Version-Release number of selected component (if applicable):
zip-2.3-30

How reproducible:
Always

Steps to Reproduce:
1. create password protected zip file
2. etc
3.
  

Actual Results:  
[thompson@monotheletisia new]$ zip -d infected.zip imgma.jpg
deleting: imgma.jpg
[thompson@monotheletisia new]$ unzip -t infected.zip
Archive:  infected.zip
[infected.zip] enter1.htm password:
    testing: enter1.htm               OK
    testing: count2.gif               OK
No errors detected in compressed data of infected.zip.


Additional info:

Comment 1 Ivana Varekova 2006-01-05 08:29:03 UTC
I discussed this problem with zip/unzip maintainers. 
They write this behavior is right because it is technically trivial to delete 
password-protected files from archives. If the removal without password wasn't
allowed someone could change it and it would be worse problem.
That's why upstream does not try to do this operation password-protected, and
lets this operation be this way. Users will be better aware what can be done
password-protected and what can't. I think this is good reason to leave unzip
this way.
Thank you for your notice. 


Note You need to log in before you can comment on or make changes to this bug.