Bug#882177: busybox: unzip creates world-writable directories
Package: busybox
Version: 1:1.27.2-1
Tags: security
When busybox's unzip creates a directory that is not shipped directly in
the zip file, it makes the directory world-writable:
$ zipinfo moo.zip
Archive: moo.zip
Zip file size: 112 bytes, number of entries: 1
-rw-r--r-- 3.0 unx 0 b- stor 17-Nov-19 22:51 moo/moo
1 file, 0 bytes uncompressed, 0 bytes compressed: 0.0%
$ busybox unzip moo.zip
Archive: moo.zip
inflating: moo/moo
$ ls -ld moo
drwxrwxrwx 2 jwilk users 4096 Nov 19 22:03 moo
-- System Information:
Architecture: i386
Versions of packages busybox depends on:
ii libc6 2.25-1
--
Jakub Wilk
Reply to: