Package: file-roller Version: 2.10.4-2 Severity: important File-roller seems to incorrectly set passwords on .zip files.
While I can set a password using file-roller and create a password protected archive just fine, and can also extract files from this archive fine using file-roller (after restarting the application), it is impossible to use the InfoZip unzip CLI as contained in the 'unzip' Debian package (v5.52-5) to decrypt this archive using the password previously set in file-roller. This only happens with some passwords. While 'foobah' will work fine, 'foo$bah' does not, i.e. an archive garbled with this password can only be restored by file-roller, but not using the CLI. My guess is that file-roller incorrectly passes the password to the zip utility, using something like $ zip -P mypassword my.zip file1 file2 While this could be considered a security issue by itself (using the -e option to pass the password to the (un)zip application is highly recommended), the password may not be correctly escaped when being passed. Obviously, passing a password value of 'foo$bah' using something like $ zip -P foo$bah my.zip file1 file2 will not work. But as said before, this is just a guess and the problem may be caused by something completely different. -- System Information: Debian Release: testing/unstable APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.14-2-k7 Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-15) Versions of packages file-roller depends on: ii bzip2 1.0.2-10 high-quality block-sorting file co ii gconf2 2.10.1-6 GNOME configuration database syste ii gzip 1.3.5-12 The GNU compression utility ii libart-2.0-2 2.3.17-1 Library of functions for 2D graphi ii libatk1.0-0 1.10.3-1 The ATK accessibility toolkit ii libbonobo2-0 2.10.1-1 Bonobo CORBA interfaces library ii libbonoboui2-0 2.10.1-1 The Bonobo UI library ii libc6 2.3.5-8 GNU C Library: Shared libraries an ii libgconf2-4 2.10.1-6 GNOME configuration database syste ii libglade2-0 1:2.5.1-2 library to load .glade files at ru ii libglib2.0-0 2.8.3-1 The GLib library of C routines ii libgnome2-0 2.10.1-1 The GNOME 2 library - runtime file ii libgnomecanvas2-0 2.10.2-2 A powerful object-oriented display ii libgnomeui-0 2.10.1-1 The GNOME 2 libraries (User Interf ii libgnomevfs2-0 2.10.1-5 The GNOME virtual file-system libr ii libgtk2.0-0 2.6.10-1 The GTK+ graphical user interface ii libice6 6.8.2.dfsg.1-7 Inter-Client Exchange library ii libnautilus-extension1 2.10.1-5 libraries for nautilus components ii liborbit2 1:2.12.4-1 libraries for ORBit2 - a CORBA ORB ii libpango1.0-0 1.8.2-3 Layout and rendering of internatio ii libpopt0 1.7-5 lib for parsing cmdline parameters ii libsm6 6.8.2.dfsg.1-7 X Window System Session Management ii libxml2 2.6.22-2 GNOME XML library ii tar 1.15.1-2 GNU tar ii unzip 5.52-5 De-archiver for .zip files ii xlibs 6.8.2.dfsg.1-7 X Window System client libraries m ii zip 2.31-3 Archiver for .zip files ii zlib1g 1:1.2.3-8 compression library - runtime Versions of packages file-roller recommends: ii arj 3.10.22-1 archiver for .arj files ii lha 1.14i-10 lzh archiver ii lzop 1.01-3 fast compression program pn rpm <none> (no description available) ii sharutils 1:4.2.1-15 shar, unshar, uuencode, uudecode -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
