Package: fcrackzip
Version: 0.3-2
Severity: normal
Tags: patch
The --use-unzip check for false positives assumes that when unzip returns with
a particular non-zero status code, it means the password was found.
Maybe this was true for older versions of unzip, but it isn't now. I've
verified that with up-to-date unzip, the only reliable way to tell a password is
correct is when status code is 0.
Patch attached (tested and known to work).
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.8-2-k7
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ANSI_X3.4-1968) (ignored: LC_ALL
set to C)
-- no debconf information
--- fcrackzip-0.3/main.c~ 2005-12-03 11:45:58.000000000 +0100
+++ fcrackzip-0.3/main.c 2005-12-03 11:57:40.088311632 +0100
@@ -69,10 +69,7 @@
status = system (buff);
#undef REDIR
-/* In case of "stored" items, unzip returns 1.
- * In case of wrong password, the returned value is 122.
- */
- if ((status == EXIT_SUCCESS) || (WEXITSTATUS(status) == 1))
+ if (status == EXIT_SUCCESS)
{
printf("\n\nPASSWORD FOUND!!!!: pw == %s\n", pw);
exit (EXIT_SUCCESS);
