Bug#342378: file-roller: Sets incorrect passwords on .zip

Josselin Mouette joss at debian.org
Thu Dec 8 09:27:55 UTC 2005

Le mercredi 07 décembre 2005 à 17:36 +0100, Moritz Naumann a écrit :
> My guess is that file-roller incorrectly passes the password to the zip 
> utility, using something like 
>   $ zip -P mypassword my.zip file1 file2
> While this could be considered a security issue by itself (using the -e 
> option to pass the password to the (un)zip application is highly 
> recommended), the password may not be correctly escaped when being passed.
> Obviously, passing a password value of 'foo$bah' using something like
>   $ zip -P foo$bah my.zip file1 file2
> will not work.

You are right. The password is improperly escaped when passed to the
"zip" command. That part of the code is absolutely horrible, it must be
rewritten for obvious security reasons.

 .''`.           Josselin Mouette        /\./\
: :' :           josselin.mouette at ens-lyon.org
`. `'                        joss at debian.org
   `-  Debian GNU/Linux -- The power of freedom

More information about the Pkg-gnome-maintainers mailing list