Debian
fcrackzip package

unzip shell call

Bug #350640 reported by Tomas Jakstas
24
This bug affects 4 people
Affects Status Importance Assigned to Milestone
Debian
Invalid
Undecided
Unassigned
fcrackzip (Debian)
New
Undecided
Unassigned
fcrackzip (Ubuntu)
Fix Released
Medium
Unassigned

Bug Description

Binary package hint: fcrackzip

This bug is due to unescaped password characters ", ', ` when using dictionary file

sh: Syntax error: Unterminated quoted string
sh: Syntax error: EOF in backquote substitution

Tags: patch
Revision history for this message
Tomas Jakstas (bizabrazija) wrote :
Revision history for this message
Brian Murray (brian-murray) wrote :

This seems to have been solved a different way but fixed nonetheless in Lucid.

char *
path_for_shell (char *dest, const char *str)
{
  /* backslash shell special charatcers */

  char ch, *p = dest;
  size_t len = strlen(str);
  int i;

  for (i = 0; i < len; i++)
  {
    ch = str[i];

    switch (ch)
    {
    /* ASCII table order */
    case '!':
    case '"':
    case '#':
    case '$':
    case '&':
    case 0x27: /* single quote */
    case '(':
    case ')':
    case '*':
    case '+':
    case 0x2C:
    case ':':
    case ';':
    case '<':
    case '>':
    case '?':
    case '[':
    case '\\':
    case ']':
    case '^':
    case '`':
    case '{':
    case '|':
    case '}':
      /* backslash special characters */
      *p++ = '\\';
      *p++ = ch;
      break;
    default:
      *p++ = ch;
    }
  }

  /* terminate string */
  *p = '\0';

  return dest;
}

Changed in fcrackzip (Debian):
status: New → Won't Fix
Changed in fcrackzip (Ubuntu):
status: New → Fix Released
Revision history for this message
Alex Harrington (alexharrington) wrote :

Sorry if I've missed something but I'm still seeing this on Lucid:

$ apt-cache policy fcrackzip
fcrackzip:
  Installed: 1.0-1
  Candidate: 1.0-1
  Version table:
 *** 1.0-1 0
        500 http://gb.archive.ubuntu.com/ubuntu/ lucid/universe Packages
        100 /var/lib/dpkg/status

$ fcrackzip -u --brute-force myzip.zip

I get lots of these output:

sh: Syntax error: Unterminated quoted string
sh: Syntax error: Missing '))'

Same if I use a dictionary with the "-D -p english.dic" syntax too.

Alex

Revision history for this message
Richard Corner (rcorner) wrote :

I experience the same problem as Alex Harrington in Lucid, with the same version of fcrackzip.

Not only the file path but the password string is passed on the shell command line to unzip. So it seems the passwords should also be escaped for the shell's consumption.

I attach a patch that I think fixes the issue.

Changed in fcrackzip (Ubuntu):
status: Fix Released → In Progress
status: In Progress → Confirmed
Revision history for this message
Richard Corner (rcorner) wrote :

Should I be creating a new bug? It seems that Debian has the problem with unescaped characters in the file path marked as fixed (Debian bug #430387), but the problem with unescaped characters in passwords seems to remain.

Brian Murray (brian-murray)
tags: added: patch
Brian Murray (brian-murray)
Changed in fcrackzip (Ubuntu):
status: Confirmed → Triaged
importance: Undecided → Medium
Changed in fcrackzip (Debian):
status: Won't Fix → New
Revision history for this message
Brian Murray (brian-murray) wrote :

Thank you for providing a patch for this bug report. This particular package is synchronized with Debian so it would be quite helpful if you were to forward the patch to the Debian bug tracker. You can learn more about how to use the Debian bug tracker at https://wiki.ubuntu.com/Debian/Bugs. After you've forwarded the bug report and patch please add a bug watch, following the procedure at http://wiki.ubuntu.com/Bugs/Watches, so we can track the progress of the upstream bug report.

Changed in debian:
status: New → Invalid
Revision history for this message
Jari Aalto (jari-aalto) wrote :

Already included in Debian fcrackzip/1.0-2. See

http://patch-tracker.debian.org/patch/series/view/fcrackzip/1.0-2/20-bug-430387-cannot-deal-files-with-special-chars.patch

This bug can be closed.

Revision history for this message
Brian Murray (brian-murray) wrote :

Natty has the version of fcrackzip with the patch.

9:54:00 - flash:[/tmp] rmadison fcrackzip
 fcrackzip | 0.3-2 | dapper/universe | source, amd64, i386, powerpc
 fcrackzip | 0.3-2 | hardy/universe | source, amd64, i386
 fcrackzip | 1.0-0ubuntu1 | karmic/universe | source, amd64, i386
 fcrackzip | 1.0-1 | lucid/universe | source, amd64, i386
 fcrackzip | 1.0-1 | maverick/universe | source, amd64, i386
 fcrackzip | 1.0-2 | natty/universe | source, amd64, i386

Changed in fcrackzip (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.