zlib-ng / minizip-ng

Fork of the popular zip manipulation library found in the zlib distribution.
Other
1.25k stars 434 forks source link

minizip-ng is incorrectly unzipping PKCrypt archives when using an incorrect password #800

Closed Coeur closed 1 month ago

Coeur commented 2 months ago

Using minizip-ng 3.0.10 and 4.0.7, when a file is password protected with PKCrypt, it will accept incorrect passwords, but output corrupted files.

Here is the sample, provided by @qchenqizhi in https://github.com/ZipArchive/ZipArchive/issues/633: test3.zip

Correct password: "aaabbb". This will unzip to a file content of "test". Incorrect password: "1989". This will unzip to a file content of "E?k?".

The native /System/Library/CoreServices/Applications/Archive\ Utility.app on macOS will correctly detect that "1989" is incorrect, but minizip is unable to figure this out.

My suspicion is that it's caused by the (verify2 != 0) of this line: https://github.com/zlib-ng/minizip-ng/blob/fe5fedc365f7824ada0cf9a84fb79b30d5fc97a8/mz_strm_pkcrypt.c#L166

That code was written in year 2017, so it's potentially a 7-years old issue: https://github.com/zlib-ng/minizip-ng/commit/18a30653b1eb5e9f96ebc5ec1d93313d229bc731

I also found on internet that there seems to be an undocumented way for checking passwords.: https://stackoverflow.com/questions/53552562/why-the-zip-appnote-on-pkware-website-didnt-mentioned-the-correct-password-chec

Neustradamus commented 1 month ago

@Coeur: Warning, it is minizip-ng, not minizip here.

Coeur commented 1 month ago

Sure, that's just wording. I've renamed the title of the issue to minizip-ng. (you can see I'm already the second biggest "Contributor" to the project: https://github.com/zlib-ng/minizip-ng/graphs/contributors)

nmoinvaz commented 1 month ago

The check for verify2 != 0 was originally from InfoZip. https://github.com/madler/unzip/blob/0b82c20ac7375b522215b567174f370be89a4b12/crypt.c#L365 image

nmoinvaz commented 1 month ago

I have made a commit which should improve it.