Bug#882177: marked as done (busybox: unzip creates world-writable directories)

To: Diederik de Haas <didi.debian@cknow.org>
Subject: Bug#882177: marked as done (busybox: unzip creates world-writable directories)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Wed, 12 Jan 2022 11:27:03 +0000
Message-id: <[🔎] handler.882177.D882177.164198658127520.ackdone@bugs.debian.org>
Reply-to: 882177@bugs.debian.org
References: <2678434.HhyVr56btz@bagend> <20171119220809.jnqvarsnxelswsbv@jwilk.net>

Your message dated Wed, 12 Jan 2022 12:13:32 +0100
with message-id <2678434.HhyVr56btz@bagend>
and subject line Re: busybox: unzip creates world-writable directories
has caused the Debian Bug report #882177,
regarding busybox: unzip creates world-writable directories
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
882177: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882177
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org

Subject: busybox: unzip creates world-writable directories

From: Jakub Wilk <jwilk@jwilk.net>

Date: Sun, 19 Nov 2017 23:08:09 +0100

Message-id: <20171119220809.jnqvarsnxelswsbv@jwilk.net>
Package: busybox
Version: 1:1.27.2-1
Tags: security
When busybox's unzip creates a directory that is not shipped directly inthe zip file, it makes the directory world-writable:
  $ zipinfo moo.zip
  Archive:  moo.zip
  Zip file size: 112 bytes, number of entries: 1
  -rw-r--r--  3.0 unx        0 b- stor 17-Nov-19 22:51 moo/moo
  1 file, 0 bytes uncompressed, 0 bytes compressed:  0.0%

  $ busybox unzip moo.zip
  Archive:  moo.zip
    inflating: moo/moo

  $ ls -ld moo
  drwxrwxrwx 2 jwilk users 4096 Nov 19 22:03 moo


-- System Information:
Architecture: i386

Versions of packages busybox depends on:
ii  libc6  2.25-1

--
Jakub Wilk
--- End Message ---

--- Begin Message ---

To: 882177-done@bugs.debian.org

Subject: Re: busybox: unzip creates world-writable directories

From: Diederik de Haas <didi.debian@cknow.org>

Date: Wed, 12 Jan 2022 12:13:32 +0100

Message-id: <2678434.HhyVr56btz@bagend>

In-reply-to: <20171119220809.jnqvarsnxelswsbv@jwilk.net>
Version: 1:1.30.1-1

This was fixed in upstream commit 5cdd120f0c6423a42fa2eec2311126142a9a49f0 and 
part of the upstream 1.29.0 release. The first version uploaded to Debian with 
that fix was 1:1.30.1-1, so close it with that version.
Attachment: signature.asc
Description: This is a digitally signed message part.

--- End Message ---

Reply to:

Prev by Date: Bug#882175: marked as done (busybox: out-of-bounds read in get_header_ar())
Next by Date: Bug#998803: marked as pending in busybox
Previous by thread: Bug#882175: marked as done (busybox: out-of-bounds read in get_header_ar())
Next by thread: Bug#998803: marked as pending in busybox
Index(es):
- Date
- Thread