Bug#342378: file-roller: Sets incorrect passwords on .zip

Moritz Naumann bugs.debian.org at moritz-naumann.com
Wed Dec 7 16:36:18 UTC 2005


Package: file-roller
Version: 2.10.4-2
Severity: important

File-roller seems to incorrectly set passwords on .zip files.

While I can set a password using file-roller and create a password protected 
archive just fine, and can also extract files from this archive fine using 
file-roller (after restarting the application), it is impossible to use the 
InfoZip unzip CLI as contained in the 'unzip' Debian package (v5.52-5) to 
decrypt this archive using the password previously set in file-roller. 

This only happens with some passwords. While 'foobah' will work fine, 
'foo$bah' does not, i.e. an archive garbled with this password can only be
restored by file-roller, but not using the CLI. 

My guess is that file-roller incorrectly passes the password to the zip 
utility, using something like 
  $ zip -P mypassword my.zip file1 file2

While this could be considered a security issue by itself (using the -e 
option to pass the password to the (un)zip application is highly 
recommended), the password may not be correctly escaped when being passed.

Obviously, passing a password value of 'foo$bah' using something like
  $ zip -P foo$bah my.zip file1 file2
will not work.

But as said before, this is just a guess and the problem may be caused by 
something completely different.


-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-2-k7
Locale: LANG=de_DE at euro, LC_CTYPE=de_DE at euro (charmap=ISO-8859-15)

Versions of packages file-roller depends on:
ii  bzip2                     1.0.2-10       high-quality block-sorting file co
ii  gconf2                    2.10.1-6       GNOME configuration database syste
ii  gzip                      1.3.5-12       The GNU compression utility
ii  libart-2.0-2              2.3.17-1       Library of functions for 2D graphi
ii  libatk1.0-0               1.10.3-1       The ATK accessibility toolkit
ii  libbonobo2-0              2.10.1-1       Bonobo CORBA interfaces library
ii  libbonoboui2-0            2.10.1-1       The Bonobo UI library
ii  libc6                     2.3.5-8        GNU C Library: Shared libraries an
ii  libgconf2-4               2.10.1-6       GNOME configuration database syste
ii  libglade2-0               1:2.5.1-2      library to load .glade files at ru
ii  libglib2.0-0              2.8.3-1        The GLib library of C routines
ii  libgnome2-0               2.10.1-1       The GNOME 2 library - runtime file
ii  libgnomecanvas2-0         2.10.2-2       A powerful object-oriented display
ii  libgnomeui-0              2.10.1-1       The GNOME 2 libraries (User Interf
ii  libgnomevfs2-0            2.10.1-5       The GNOME virtual file-system libr
ii  libgtk2.0-0               2.6.10-1       The GTK+ graphical user interface 
ii  libice6                   6.8.2.dfsg.1-7 Inter-Client Exchange library
ii  libnautilus-extension1    2.10.1-5       libraries for nautilus components 
ii  liborbit2                 1:2.12.4-1     libraries for ORBit2 - a CORBA ORB
ii  libpango1.0-0             1.8.2-3        Layout and rendering of internatio
ii  libpopt0                  1.7-5          lib for parsing cmdline parameters
ii  libsm6                    6.8.2.dfsg.1-7 X Window System Session Management
ii  libxml2                   2.6.22-2       GNOME XML library
ii  tar                       1.15.1-2       GNU tar
ii  unzip                     5.52-5         De-archiver for .zip files
ii  xlibs                     6.8.2.dfsg.1-7 X Window System client libraries m
ii  zip                       2.31-3         Archiver for .zip files
ii  zlib1g                    1:1.2.3-8      compression library - runtime

Versions of packages file-roller recommends:
ii  arj                           3.10.22-1  archiver for .arj files
ii  lha                           1.14i-10   lzh archiver
ii  lzop                          1.01-3     fast compression program
pn  rpm                           <none>     (no description available)
ii  sharutils                     1:4.2.1-15 shar, unshar, uuencode, uudecode

-- no debconf information





More information about the Pkg-gnome-maintainers mailing list