Red Hat Bugzilla – Bug 54647
remote file access/damage
Last modified: 2007-03-26 23:49:12 EDT
From Bugzilla Helper: User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98) Description of problem: a user can modify the zipped file in order to do damage to the file system Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1.Create a Win/Dos PKZIP file 2.alter the binary files and change the file/directory strings 3.unzip the file on your linux box 4.and you can replace /etc/passwd etc with a file in the zip file? Actual Results: I was able to replace any file on the linux box that I owned, with the content of the archived file that had its file string changed example (../../../../../../etc/passwd) Expected Results: this should no be allowed to happen Additional info: this can cause a lot of damage to any linux box?
Unpacking archives can overwrite files if you're not careful about where you unpack it and what files it contains - this is not a bug, it's a user education issue.
It is a bug. See http://www.info-zip.org/FAQ.html UnZip 5.42 and earlier virtually all All versions of UnZip through 5.42 have a directory-traversal vulnerability that allows them to unpack files in unexpected places. Specifically, if an archive contains files with leading "/" characters (i.e., relative to the top-level/root directory) or with ".." components ("previous directory level"), UnZip will unpack the files in the indicated locations, possibly creating directory trees in the process--and, if the -o ("overwrite") option is given, quietly destroying existing files outside the intended directory tree. This is fixed in version 5.50, and a patch (slight overkill, but apparently effective) is available on the Bugtraq page that reported the problem. (Thanks to Anya Berdichevskaya for the pointer.)