Skip Menu |
 

This queue is for tickets about the Archive-Zip CPAN distribution.

Report information
The Basics
Id: 8077
Status: resolved
Priority: 0/
Queue: Archive-Zip

People
Owner: nedkonz [...] cpan.org
Requestors: jester71 [...] gmx.net
Cc:
AdminCc:

Bug Information
Severity: Important
Broken in: 1.13
Fixed in: (no value)

Attachments


Subject: Archive::Zip is fooled by manipulated ZIP directory
Download (untitled) / with headers
text/plain 794b
Hello Recently, it was noticed that several antivirus programs miss viruses that are contained in ZIP archives with manipulated directory data. This is demonstrated e.g. by http://www.heise.de/security/dienste/emailcheck/demos/go.shtml?mail=zip_g0 (site is in German, sorry), from which you can send yourself a manipulated ZIP archive containing a text file and the EICAR test virus signature. The global archive directory of this ZIP file has been manipulated to indicate zero file sizes. Archive::Zip produces files of zero length when decompressing this ZIP. This causes AV products that use Archive::ZIP to fail to detect viruses in manipulated ZIP archives. One of these products is amavisd-new. I set the severity to important because this is a bug with security-critical implications.
Download eicar_g0.zip
application/zip 523b

Message body not shown because it is not plain text.

Download (untitled) / with headers
text/plain 567b
[guest - Thu Oct 21 06:01:30 2004]: Show quoted text
> Hello > > Recently, it was noticed that several antivirus programs miss viruses > that are contained in ZIP archives with manipulated directory data.
[snip] Show quoted text
> Archive::Zip produces files of zero length when decompressing this > ZIP. This causes AV products that use Archive::ZIP to fail to > detect viruses in manipulated ZIP archives. One of these products > is amavisd-new. > > I set the severity to important because this is a bug with security- > critical implications.
I added a fix for this to v1.14.
Fixed in 1.14
From: jester71 [...] gmx.net
Download (untitled) / with headers
text/plain 100b
[NEDKONZ - Thu Oct 21 11:27:32 2004]: Show quoted text
> I added a fix for this to v1.14.
Great, thanks! Tobias
From: link#yauw.de
Download (untitled) / with headers
text/plain 314b
[NEDKONZ - Thu Oct 21 11:30:10 2004]: Show quoted text
> Fixed in 1.14
Is this fixed for the local header, too? The original report only mentions the global header, but http://www.idefense.com/application/poi/display?id=153&type=vulnerabilities reports this for the global and the local header. Thanks. best regards Rainer Link
Download (untitled) / with headers
text/plain 404b
[guest - Sat Oct 23 17:06:29 2004]: Show quoted text
> [NEDKONZ - Thu Oct 21 11:30:10 2004]: >
> > Fixed in 1.14
> > Is this fixed for the local header, too? The original report only > mentions the global header, but >
http://www.idefense.com/application/poi/display?id=153&type=vulnerabilities Show quoted text
> reports this for the global and the local header.
Yes, I don't use the values from the local header at all.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.