Skip Menu |

This queue is for tickets about the Archive-Zip CPAN distribution.

Report information
The Basics
Id: 8077
Status: resolved
Priority: 0/
Queue: Archive-Zip
People
Owner: nedkonz [...] cpan.org
Requestors: jester71 [...] gmx.net
Cc:
AdminCc:
Bug Information
Severity: Important
Broken in: 1.13
Fixed in: (no value)
Attachments
eicar_g0.zip

History Show all quoted text
  Thu Oct 21 06:01:30 2004 Guest - Ticket created
Subject: Archive::Zip is fooled by manipulated ZIP directory
Hello Recently, it was noticed that several antivirus programs miss viruses that are contained in ZIP archives with manipulated directory data. This is demonstrated e.g. by http://www.heise.de/security/dienste/emailcheck/demos/go.shtml?mail=zip_g0 (site is in German, sorry), from which you can send yourself a manipulated ZIP archive containing a text file and the EICAR test virus signature. The global archive directory of this ZIP file has been manipulated to indicate zero file sizes. Archive::Zip produces files of zero length when decompressing this ZIP. This causes AV products that use Archive::ZIP to fail to detect viruses in manipulated ZIP archives. One of these products is amavisd-new. I set the severity to important because this is a bug with security-critical implications.
Download eicar_g0.zip
application/zip 523b

Message body not shown because it is not plain text.

  Thu Oct 21 11:27:32 2004 nedkonz [...] cpan.org - Correspondence added
[guest - Thu Oct 21 06:01:30 2004]: Show quoted text
> Hello > > Recently, it was noticed that several antivirus programs miss viruses > that are contained in ZIP archives with manipulated directory data.
[snip] Show quoted text
> Archive::Zip produces files of zero length when decompressing this > ZIP. This causes AV products that use Archive::ZIP to fail to > detect viruses in manipulated ZIP archives. One of these products > is amavisd-new. > > I set the severity to important because this is a bug with security- > critical implications.
I added a fix for this to v1.14.
  Thu Oct 21 11:30:10 2004 nedkonz [...] cpan.org - Correspondence added
Fixed in 1.14
  Thu Oct 21 11:30:11 2004 nedkonz [...] cpan.org - Status changed from 'new' to 'resolved'
  Thu Oct 21 11:30:48 2004 nedkonz [...] cpan.org - Taken
  Fri Oct 22 02:01:52 2004 Guest - Correspondence added
From: jester71 [...] gmx.net
[NEDKONZ - Thu Oct 21 11:27:32 2004]: Show quoted text
> I added a fix for this to v1.14.
Great, thanks! Tobias
  Fri Oct 22 02:01:53 2004 The RT System itself - Status changed from 'resolved' to 'open'
  Sat Oct 23 17:06:29 2004 Guest - Correspondence added
From: link#yauw.de
[NEDKONZ - Thu Oct 21 11:30:10 2004]: Show quoted text
> Fixed in 1.14
Is this fixed for the local header, too? The original report only mentions the global header, but http://www.idefense.com/application/poi/display?id=153&type=vulnerabilities reports this for the global and the local header. Thanks. best regards Rainer Link
  Sat Oct 23 17:15:57 2004 nedkonz [...] cpan.org - Correspondence added
[guest - Sat Oct 23 17:06:29 2004]: Show quoted text
> [NEDKONZ - Thu Oct 21 11:30:10 2004]: >
> > Fixed in 1.14
> > Is this fixed for the local header, too? The original report only > mentions the global header, but >
http://www.idefense.com/application/poi/display?id=153&type=vulnerabilities Show quoted text
> reports this for the global and the local header.
Yes, I don't use the values from the local header at all.
  Fri Jan 21 11:06:17 2005 nedkonz [...] cpan.org - Status changed from 'open' to 'resolved'