Package: gzip Version: 1.6-5+b1 Severity: serious Tags: Security Dear Maintainer,
say I will gzip a file named sample_name. As result I get a new packed file sample_name.gz. When gunzipping this file the result is a file named sample_name. That is the expected result and in no way surprising or objectionable. But when I rename sample_name.gz to disguised_name.gz and than gunzip it, the result is a file withe the new name disguised_name. The original filename will not be preserved. Even if I look into the file with gunzip -l, I will not see the original filename. This might be intentional behaviour, but it is somewhat surprising - and it might lead to dangerous results! In fact, this behaviour is currently actively exploited to bypass content checks on MTA's and deliver trojans via mail to their intended victims. The problem is, that other (un)zipping tools, e.g. file-roller or nearly each and every unzipping tool under Windows don't show the same behaviour as gunzip, but unzip the file to it's original filename. The scenario is as follows: a trojan horse named trojan.exe will be gzipped. The resulting file will be renamed trojan.pdf.gz and will then be sent via mail to some target address. The MTA uses e.g. Amavis to look into the attachment with gunzip -l, sees an obviously harmless filename trojan.pdf and let it pass. The recipient unzips the file, expects a pdf, but gets an executable, doubleclick... This scenario will not work with any other zipping tool than gzip! As said before, this behaviour might be intentional; even more, there might be scripts in the wild, which count on this behaviour and would be broken, if it is changed. But at least the list command gzip -l resp. gunzip -l should show the real content of the zipped file and not just the filename with the .gz stripped.