Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the Archive-Zip CPAN distribution.

Report information
The Basics
Id:
8077
Status:
resolved
Priority:
Low/Low
Queue:

People
Owner:
nedkonz [...] cpan.org (email delivery suspended)
Requestors:
jester71 [...] gmx.net
Cc:
AdminCc:

BugTracker
Severity:
Important
Broken in:
1.13
Fixed in:
(no value)

Attachments


Subject: Archive::Zip is fooled by manipulated ZIP directory
Hello Recently, it was noticed that several antivirus programs miss viruses that are contained in ZIP archives with manipulated directory data. This is demonstrated e.g. by http://www.heise.de/security/dienste/emailcheck/demos/go.shtml?mail=zip_g0 (site is in German, sorry), from which you can send yourself a manipulated ZIP archive containing a text file and the EICAR test virus signature. The global archive directory of this ZIP file has been manipulated to indicate zero file sizes. Archive::Zip produces files of zero length when decompressing this ZIP. This causes AV products that use Archive::ZIP to fail to detect viruses in manipulated ZIP archives. One of these products is amavisd-new. I set the severity to important because this is a bug with security-critical implications.

Message body not shown because it is not plain text.

[guest - Thu Oct 21 06:01:30 2004]:
Show quoted text
> Hello > > Recently, it was noticed that several antivirus programs miss viruses > that are contained in ZIP archives with manipulated directory data.
[snip]
Show quoted text
> Archive::Zip produces files of zero length when decompressing this > ZIP. This causes AV products that use Archive::ZIP to fail to > detect viruses in manipulated ZIP archives. One of these products > is amavisd-new. > > I set the severity to important because this is a bug with security- > critical implications.
I added a fix for this to v1.14.
Fixed in 1.14
From: jester71@gmx.net
[NEDKONZ - Thu Oct 21 11:27:32 2004]:
Show quoted text
> I added a fix for this to v1.14.
Great, thanks! Tobias
From: link#yauw.de
[NEDKONZ - Thu Oct 21 11:30:10 2004]:
Show quoted text
> Fixed in 1.14
Is this fixed for the local header, too? The original report only mentions the global header, but http://www.idefense.com/application/poi/display?id=153&type=vulnerabilities reports this for the global and the local header. Thanks. best regards Rainer Link
[guest - Sat Oct 23 17:06:29 2004]:
Show quoted text
> [NEDKONZ - Thu Oct 21 11:30:10 2004]: >
> > Fixed in 1.14
> > Is this fixed for the local header, too? The original report only > mentions the global header, but >
http://www.idefense.com/application/poi/display?id=153&type=vulnerabilities
Show quoted text
> reports this for the global and the local header.
Yes, I don't use the values from the local header at all.


This service runs on Request Tracker, is sponsored by The Perl Foundation, and maintained by Best Practical Solutions.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.