[svlug] A followup on UnZipping in Linux.

Ron theotiwii at earthlink.net
Wed Jan 23 09:15:02 PST 2002


Mark,

That was complete, thank you for your research and your opinions.

There is only one significant issue that I would challenge, your
statement:

> No one is to blame.  <snip>

I wasn't attempting to "blame" anyone (reference my email), I was
looking for who was "responsible," as in, who do I address to prevent
others from this "monumental time sink."

Specifically, it seems UnZip should have either done the job OR posted a
coherent message for refusing. Your input concerning a possible (most
likely) patched version of UnZip indicates UnZip WOULD have done the job
but the patch's author prevented the operation (yes, I understand the
security implications) WITHOUT BOTHERING to include an advisory that
would assist in understanding the behavior.

If I did that to one of my customers... specifically, prevented _normal_
code operation (for what ever reason) without the courtesy of generating
a coherent explanation for the new behavior... 

That's what I'm getting at, in that situation, everyone could be
considered doing the "right" thing but "no product is generated (files
unzipped)." Who is responsible? In _my opinion_ it is the author of the
patch.

I'm not trashing anyone or any product or starting a smear campaign
against community supported software AND NONE of my emails has said OR
implied that. When I presented, as a potential reason:

>     D. Unzip in Linux is user malicious,
>        good luck if the user isn't perfect...

I do not consider it an abuse of community supported software, and quite
frankly, I'm currently hard pressed not to consider it as the correct
answer.

But... I digress, Mark has provided excellent insight into the dynamics
of my problem and has included thoughtful opinions of the issues I
faced. Thank you for your help and for sharing some of your experience
and commitment to the Unix community.

-Ron

PS: Pete (Carapetyan - WebAppWriter), there are versions of UnZip on
Linux and other flavors of Unix that have been patched to prevent
"directory-traversal" (reference this URL:)

	http://www.info-zip.org/FAQ.html#corruption

Some of the above users may be puzzled by the operation of UnZip on the
files you are generating for that reason. Although the use of the
command line option "-d" will allow the user to unzip the files, perhaps
you might consider removing your use of relative paths as, in the
opinion of this user, the resulting error message is not definitive to
allow inexperienced unzip users to successfully accomplish the task. :-)






More information about the svlug mailing list