Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

zipinfo executable permission mystery #9

Closed
Tracked by #10
obfusk opened this issue Feb 6, 2023 · 2 comments
Closed
Tracked by #10

zipinfo executable permission mystery #9

obfusk opened this issue Feb 6, 2023 · 2 comments
Assignees
@obfusk

Comments

@obfusk
Copy link
Owner

obfusk commented Feb 6, 2023
edited

For some reason, the original zipinfo marks files named META-INF/services/io.jsonwebtoken.CompressionCodec as executable.

I have no idea why, since there are no metadata differences that would explain this.

So I'm assuming it's an odd bug in the original, not in the Python version in this repo.

I've seen this with several different APK files, and it's always the same filename, never any other file.

@@ -95,7 +95,7 @@
 -rw----     2.4 fat        5 b-        5 stor 81-Jan-01 01:01 META-INF/kotlinx_coroutines_core.version
 -rw----     2.4 fat       39 b-       39 stor 81-Jan-01 01:01 META-INF/services/com.fasterxml.jackson.core.JsonFactory
 -rw----     2.4 fat       44 b-       44 stor 81-Jan-01 01:01 META-INF/services/com.fasterxml.jackson.core.ObjectCodec
--rwx---     2.4 fat      110 b-       60 defN 81-Jan-01 01:01 META-INF/services/io.jsonwebtoken.CompressionCodec
+-rw----     2.4 fat      110 b-       60 defN 81-Jan-01 01:01 META-INF/services/io.jsonwebtoken.CompressionCodec
 -rw----     2.4 fat       46 b-       42 defN 81-Jan-01 01:01 META-INF/services/io.jsonwebtoken.io.Deserializer
 -rw----     2.4 fat       44 b-       40 defN 81-Jan-01 01:01 META-INF/services/io.jsonwebtoken.io.Serializer
 -rw----     2.4 fat      112 b-       57 defN 81-Jan-01 01:01 META-INF/services/java.security.Provider
@obfusk obfusk added the help wanted Extra attention is needed label Feb 6, 2023
@obfusk obfusk self-assigned this Feb 6, 2023
@obfusk
Copy link
Owner Author

obfusk commented Feb 6, 2023

So I'm assuming it's an odd bug in the original

And indeed it is, since the extension .CompressionCodec starts with .com.

https://sources.debian.org/src/unzip/6.0-27/zipinfo.c/#L2086

                    if (STRNICMP(p, "com", 3) == 0 ||
                        STRNICMP(p, "exe", 3) == 0 ||
                        STRNICMP(p, "btm", 3) == 0 ||
                        STRNICMP(p, "cmd", 3) == 0 ||
                        STRNICMP(p, "bat", 3) == 0)
                        attribs[3] = 'x';

@obfusk obfusk mentioned this issue Feb 6, 2023
Closed
9 tasks
@obfusk obfusk removed the help wanted Extra attention is needed label Feb 6, 2023
@obfusk obfusk closed this as completed Feb 6, 2023
@obfusk obfusk mentioned this issue Feb 7, 2023
Open
4 tasks
@obfusk
Copy link
Owner Author

obfusk commented Feb 7, 2023

Found another example:

-rwx---     2.0 fat        0 b-        0 stor 23-Jan-24 22:31 META-INF/maven/org.apache.commons/
-rwx---     2.0 fat        0 b-        0 stor 23-Jan-24 22:31 META-INF/maven/org.apache.commons/commons-lang3/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@obfusk obfusk

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@obfusk