Lemma Soft Forums

Posted: **Mon May 20, 2013 6:03 pm**

When Ren'Py creates a zipfile, it sets the permissions for the zip members to be 666 or 777. Info-zip's unzip program overrides the user's umask when decompressing by default, so *any* code running on the same computer can modify game files if it can read the directory that they were extracted into, and thus gain access to the account that the user is playing the game in. Apple (confirmed in Lion and Jaguar), Debian (confirmed in Wheezy), and the upstream source all ship vulnerable versions of unzip.

You should be able to patch old Ren'Py versions by finding where in the launcher the zip members' external attributes are set - lines like:

Code: Select all

                zi.external_attr = long(0100777) << 16
                zi.external_attr = long(0100666) << 16 
            zi.external_attr = (long(0040777) << 16) | 0x10

and changing the 777s and 666s to 755 and 644 respectively. It's only important to change on zips - Linux tar.bz2 archives also have mode 666/777, but the Linux tar program (at least on Debian) honours umasks properly so they. Note that all-architecture zip distributions and Windows zip distributions being played using Wine *DO* have vulnerable permissions.

Posted: **Mon May 20, 2013 9:24 pm**

I'll make this change in the next release of Ren'Py - I'm tracking the issue here: https://github.com/renpy/renpy/issues/104

Are they going to be fixing this in info-zip? It seems like a major bug that could affect a lot of software, not just Ren'Py.

Posted: **Mon May 20, 2013 10:32 pm**

Excellent, thanks.

It looks like they're planning to fix it in info-zip as well. (And searching my own computer for zips with world-writable files turned up several non-Ren'Py-generated files.)

Lemma Soft Forums

Ren'Py zip distributions contain world-writable files.

Ren'Py zip distributions contain world-writable files.

Re: Ren'Py zip distributions contain world-writable files.

Re: Ren'Py zip distributions contain world-writable files.