Bug#342378: file-roller: Sets incorrect passwords on .zip
Moritz Naumann
bugs.debian.org at moritz-naumann.com
Wed Dec 7 16:36:18 UTC 2005
Package: file-roller
Version: 2.10.4-2
Severity: important
File-roller seems to incorrectly set passwords on .zip files.
While I can set a password using file-roller and create a password protected
archive just fine, and can also extract files from this archive fine using
file-roller (after restarting the application), it is impossible to use the
InfoZip unzip CLI as contained in the 'unzip' Debian package (v5.52-5) to
decrypt this archive using the password previously set in file-roller.
This only happens with some passwords. While 'foobah' will work fine,
'foo$bah' does not, i.e. an archive garbled with this password can only be
restored by file-roller, but not using the CLI.
My guess is that file-roller incorrectly passes the password to the zip
utility, using something like
$ zip -P mypassword my.zip file1 file2
While this could be considered a security issue by itself (using the -e
option to pass the password to the (un)zip application is highly
recommended), the password may not be correctly escaped when being passed.
Obviously, passing a password value of 'foo$bah' using something like
$ zip -P foo$bah my.zip file1 file2
will not work.
But as said before, this is just a guess and the problem may be caused by
something completely different.
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-2-k7
Locale: LANG=de_DE at euro, LC_CTYPE=de_DE at euro (charmap=ISO-8859-15)
Versions of packages file-roller depends on:
ii bzip2 1.0.2-10 high-quality block-sorting file co
ii gconf2 2.10.1-6 GNOME configuration database syste
ii gzip 1.3.5-12 The GNU compression utility
ii libart-2.0-2 2.3.17-1 Library of functions for 2D graphi
ii libatk1.0-0 1.10.3-1 The ATK accessibility toolkit
ii libbonobo2-0 2.10.1-1 Bonobo CORBA interfaces library
ii libbonoboui2-0 2.10.1-1 The Bonobo UI library
ii libc6 2.3.5-8 GNU C Library: Shared libraries an
ii libgconf2-4 2.10.1-6 GNOME configuration database syste
ii libglade2-0 1:2.5.1-2 library to load .glade files at ru
ii libglib2.0-0 2.8.3-1 The GLib library of C routines
ii libgnome2-0 2.10.1-1 The GNOME 2 library - runtime file
ii libgnomecanvas2-0 2.10.2-2 A powerful object-oriented display
ii libgnomeui-0 2.10.1-1 The GNOME 2 libraries (User Interf
ii libgnomevfs2-0 2.10.1-5 The GNOME virtual file-system libr
ii libgtk2.0-0 2.6.10-1 The GTK+ graphical user interface
ii libice6 6.8.2.dfsg.1-7 Inter-Client Exchange library
ii libnautilus-extension1 2.10.1-5 libraries for nautilus components
ii liborbit2 1:2.12.4-1 libraries for ORBit2 - a CORBA ORB
ii libpango1.0-0 1.8.2-3 Layout and rendering of internatio
ii libpopt0 1.7-5 lib for parsing cmdline parameters
ii libsm6 6.8.2.dfsg.1-7 X Window System Session Management
ii libxml2 2.6.22-2 GNOME XML library
ii tar 1.15.1-2 GNU tar
ii unzip 5.52-5 De-archiver for .zip files
ii xlibs 6.8.2.dfsg.1-7 X Window System client libraries m
ii zip 2.31-3 Archiver for .zip files
ii zlib1g 1:1.2.3-8 compression library - runtime
Versions of packages file-roller recommends:
ii arj 3.10.22-1 archiver for .arj files
ii lha 1.14i-10 lzh archiver
ii lzop 1.01-3 fast compression program
pn rpm <none> (no description available)
ii sharutils 1:4.2.1-15 shar, unshar, uuencode, uudecode
-- no debconf information
More information about the Pkg-gnome-maintainers
mailing list