| Summary: | unzip misinterprets certain zip files as containing symbolic links | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Ken Arromdee <arromdee2> |
| Component: | RPM Packages | Assignee: | All Packagers <pkg-bugs> |
| Status: | NEW --- | QA Contact: | |
| Severity: | normal | ||
| Priority: | Normal | Keywords: | UPSTREAM |
| Version: | 8 | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.info-zip.org, http://infozip.sourceforge.net/ | ||
| Whiteboard: | |||
| Source RPM: | unzip-6.0-2.mga8.src.rpm | CVE: | |
| Status comment: | |||
| Attachments: | Will not unzip properly in 6.0 | ||
|
Description
Ken Arromdee
2022-08-20 07:54:48 CEST
Created attachment 13365 [details]
Will not unzip properly in 6.0
Thank you for the report and example file. The package's website shows " UnZip 6.0 was released on 29 April 2009"... "please direct all comments and questions to the Info-ZIP authors at the address/bug page given in the FAQ" http://infozip.sourceforge.net/FAQ.html "How do I report bugs?" http://infozip.sourceforge.net/FAQ.html#zip-bugs is redundant. At the foot of the page: "Please direct all Info-ZIP queries (availability, ports, bugs, corrections, etc.) to Zip-Bug" http://www.info-zip.org/zip-bug.html From there, I e-mailed this report, await their reply. CC:
(none) =>
lewyssmith They replied quickly & effectively:
" This is an old bug that was fixed long ago, but we haven't done a
formal UnZip release since then. You have some options:
1. UnZip 6.10b (beta) source kit
https://sourceforge.net/projects/infozip/files/unreleased%20Betas/UnZip%20betas/unzip610b.zip/download
2. If you don't like that 6.10b (beta) version, then you could try an
informal source kit of UnZip 6.00 plus various minor fixes.
http://antinode.info/ftp/info-zip/unzip60s4/unzip60s4_src.zip
"
Option 1 looks best, see next comment for the evidence.
Illustrating the effectiveness of v6.10b (upstream):
"Around here (on a Mac):
Original UnZip 6.00:
proa$ /usr/local/bin/unzip6 -d 60 symlink_prob.zip 'VOL*'
Archive: symlink_prob.zip
inflating: 60/VOL.0
inflating: 60/VOL.1
inflating: 60/VOL.2 -> ^R4^B?^J^X^E?^G^E??
finishing deferred symbolic links:
60/VOL.2 -> ^R4^B?^J^X^E?^G^E??
proa$
UnZip 6.1b (beta):
proa$ /usr/local/src/zip/unzip610b/unzip -d 61b symlink_prob.zip 'VOL*'
Archive: symlink_prob.zip
inflating: 61b/VOL.0
inflating: 61b/VOL.1
inflating: 61b/VOL.2
proa$
"
-----------------------------------------------------
I forgot this in the previous comment, from upstream:
(In reply to Ken Arromdee from comment #0)
> Although those
> bugs claim the problem only happens when there are over 16384 entries, I
> don't believe this claim is correct.
There may be more than one way to set the bit that causes the problem.
Unzip has no maintainer, so assigning this bug globally.CC:
lewyssmith =>
(none) Postscript from upstream Info-ZIP-Dev@GOATLEY.COM (Steven M. Schweda) : " Aside from our inadequate testing, one potential problem with that 6.10b (beta) version would be that if you find a bug in it, we (I) probably won't want to provide a fix for that version. Some later internal-development version would be more likely to get the work. Another patch to 6.00 would also be possible, of course. The Debian folks (and, I suspect, Red Hat) are pretty active in patching our stuff, especially for recent CVEs (which wouldn't be fixed in that (rather old) 6.10b (beta) version), so getting an UnZip 6.00 source kit there might make some sense. Their list of changes/fixes might be different from the one in that unzip60s4_src.zip kit, too. " Hmmm |