Ren'Py zip distributions contain world-writable files.

[Spiky Caterpillar]

When Ren'Py creates a zipfile, it sets the permissions for the zip members to be 666 or 777. Info-zip's unzip program overrides the user's umask when decompressing by default, so *any* code running on the same computer can modify game files if it can read the directory that they were extracted into, and thus gain access to the account that the user is playing the game in. Apple (confirmed in Lion and Jaguar), Debian (confirmed in Wheezy), and the upstream source all ship vulnerable versions of unzip.

You should be able to patch old Ren'Py versions by finding where in the launcher the zip members' external attributes are set - lines like:

Code: Select all

                zi.external_attr = long(0100777) << 16
                zi.external_attr = long(0100666) << 16 
            zi.external_attr = (long(0040777) << 16) | 0x10

and changing the 777s and 666s to 755 and 644 respectively. It's only important to change on zips - Linux tar.bz2 archives also have mode 666/777, but the Linux tar program (at least on Debian) honours umasks properly so they. Note that all-architecture zip distributions and Windows zip distributions being played using Wine *DO* have vulnerable permissions.

[PyTom]

I'll make this change in the next release of Ren'Py - I'm tracking the issue here: https://github.com/renpy/renpy/issues/104

Are they going to be fixing this in info-zip? It seems like a major bug that could affect a lot of software, not just Ren'Py.

[Spiky Caterpillar]

Excellent, thanks.

It looks like they're planning to fix it in info-zip as well. (And searching my own computer for zips with world-writable files turned up several non-Ren'Py-generated files.)