Bug 54647 - remote file access/damage
Summary: remote file access/damage
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: unzip
Version: 6.2
Hardware: All
OS: Linux
high
medium
Target Milestone: ---
Assignee: Trond Eivind Glomsrxd
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2001-10-15 12:53 UTC by Graham Houston
Modified: 2007-03-27 03:49 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2001-10-15 12:53:20 UTC
Embargoed:


Attachments (Terms of Use)

Description Graham Houston 2001-10-15 12:53:16 UTC
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)

Description of problem:
a user can modify the zipped file in order to do damage to the file system

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1.Create a Win/Dos PKZIP file
2.alter the binary files and change the file/directory strings 
3.unzip the file on your linux box
4.and you can replace /etc/passwd etc with a file in the zip file?
	

Actual Results:  I was able to replace any file on the linux box that I 
owned, with
the content of the archived file that had its file string changed

example (../../../../../../etc/passwd)

Expected Results:  this should no be allowed to happen

Additional info:

this can cause a lot of damage to any linux box?

Comment 1 Trond Eivind Glomsrxd 2001-10-17 15:55:39 UTC
Unpacking archives can overwrite files if you're not careful about where you
unpack it and what files it contains - this is not a bug, it's a user education
issue.

Comment 2 Need Real Name 2002-08-25 11:47:28 UTC
It is a bug.

See http://www.info-zip.org/FAQ.html

UnZip 5.42 and earlier
virtually all
All versions of UnZip through 5.42 have a directory-traversal vulnerability 
that allows them to unpack files in unexpected places. Specifically, if an 
archive contains files with leading "/" characters (i.e., relative to the 
top-level/root directory) or with ".." components ("previous directory 
level"), UnZip will unpack the files in the indicated locations, possibly 
creating directory trees in the process--and, if the -o ("overwrite") 
option is given, quietly destroying existing files outside the intended 
directory tree. This is fixed in version 5.50, and a patch (slight 
overkill, but apparently effective) is available on the Bugtraq page that 
reported the problem. (Thanks to Anya Berdichevskaya for the pointer.)


Note You need to log in before you can comment on or make changes to this bug.