Bug #9811 “CAN-2004-0970: Insecure temporary files” : Bugs : gzip package : Ubuntu

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2004-11-01:

#1

Automatically imported from Debian bug report #279208 http://bugs.debian.org/279208

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2004-11-01:

#2

Download full text (9.1 KiB)

Message-ID: <email address hidden>
Date: Mon, 1 Nov 2004 14:20:09 +0100
From: Martin Schulze <email address hidden>
To: <email address hidden>
Subject: CAN-2004-0970: Insecure temporary files

--w5er4h4/Yf2qR8D9
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline

Package: gzip
Version: 1.3.5-9
Severity: grave
Tags: sarge, sid, security, patch

Trustix developers discovered insecure temporary file creation in
supplemental scripts in the gzip package that can allows local users
to overwrite files via a symlink attack.

Please let me know which version fixes these problems in sid/sarge
while I take care of the package in woody.

I'm attaching the patch from Trustix and the patch I'm using for the
package in woody.

Regards,

Joey

--
This is GNU/Linux Country. On a quiet night, you can hear Windows reboot.

Please always Cc to me when replying to me on the lists.

--w5er4h4/Yf2qR8D9
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: attachment; filename="gzip-1.2.4-tempfile.patch"

diff -ur gzip-1.2.4a.orig/gzexe.in gzip-1.2.4a/gzexe.in
--- gzip-1.2.4a.orig/gzexe.in 2004-09-13 11:14:21.000000000 +0200
+++ gzip-1.2.4a/gzexe.in 2004-09-13 11:36:08.000000000 +0200
@@ -13,7 +13,7 @@
# The : is required for some old versions of csh.
# On Ultrix, /bin/sh is too buggy, change the first line to: #!/bin/sh5

-x=`basename $0`
+x=`basename "$0"`
if test $# = 0; then
   echo compress executables. original file foo is renamed to foo~
   echo usage: ${x} [-d] files...
@@ -21,9 +21,6 @@
   exit 1
fi

-tmp=gz$$
-trap "rm -f $tmp; exit 1" 1 2 3 5 10 13 15
-
decomp=0
res=0
test "$x" = "ungzexe" && decomp=1
@@ -32,12 +29,10 @@
shift
fi

-echo hi > zfoo1$$
-echo hi > zfoo2$$
-if test -z "`(${CPMOD-cpmod} zfoo1$$ zfoo2$$) 2>&1`"; then
- cpmod=${CPMOD-cpmod}
+cpmod=
+if type ${CPMOD:-cpmod} 2>/dev/null; then
+ cpmod=${CPMOD:-cpmod}
fi
-rm -f zfoo[12]$$

tail=""
IFS="${IFS= }"; saveifs="$IFS"; IFS="${IFS}:"
@@ -75,9 +70,14 @@
     continue
   fi
   case "`basename $i`" in
- gzip | tail | chmod | ln | sleep | rm)
+ bash | chmod | gzip | ln | mktemp | rm | sed | sh | tail)
  echo "${x}: $i would depend on itself"; continue ;;
   esac
+
+ tmp=`/bin/mktemp -t gzexe.XXXXXXXXXX` || exit 1
+ trap "rm -f $tmp; exit 1" HUP INT QUIT PIPE TERM
+ trap "rm -f $tmp; exit 0" EXIT
+
   if test -z "$cpmod"; then
     cp -p "$i" $tmp 2>/dev/null || cp "$i" $tmp
     if test -w $tmp 2>/dev/null; then
@@ -128,6 +128,7 @@
       :
     else
       echo ${x}: $i probably not in gzexe format, file unchanged.
+ rm -f $tmp
       res=1
       continue
     fi
diff -ur gzip-1.2.4a.orig/zdiff.in gzip-1.2.4a/zdiff.in
--- gzip-1.2.4a.orig/zdiff.in 1993-08-17 00:32:16.000000000 +0200
+++ gzip-1.2.4a/zdiff.in 2004-09-13 11:32:22.000000000 +0200
@@ -47,10 +47,11 @@
                 case "$2" in
          *[-.]gz* | *[-.][zZ] | *.t[ga]z)
    F=`echo "$2" | sed 's|.*/||;s|[-.][zZtga]*||'`
- gzip -cdfq "$2" > /tmp/"$F".$$
- gzip -cdfq "$1" | $comp $OPTIONS - /tmp/"$F".$$
+ TF="`/bin/mktemp -t "$F".XXXXXX`" || exit 1
+ ...

Message-ID: <20041101132009.GU7329@finlandia.infodrom.north.de>
Date: Mon, 1 Nov 2004 14:20:09 +0100
From: Martin Schulze <joey@infodrom.org>
To: submit@bugs.debian.org
Subject: CAN-2004-0970: Insecure temporary files

--w5er4h4/Yf2qR8D9
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline

Package: gzip
Version: 1.3.5-9
Severity: grave
Tags: sarge, sid, security, patch

Trustix developers discovered insecure temporary file creation in
supplemental scripts in the gzip package that can allows local users
to overwrite files via a symlink attack.

Please let me know which version fixes these problems in sid/sarge
while I take care of the package in woody.

I'm attaching the patch from Trustix and the patch I'm using for the
package in woody.

Regards,

Joey

-- 
This is GNU/Linux Country.  On a quiet night, you can hear Windows reboot.

Please always Cc to me when replying to me on the lists.

--w5er4h4/Yf2qR8D9
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: attachment; filename="gzip-1.2.4-tempfile.patch"

diff -ur gzip-1.2.4a.orig/gzexe.in gzip-1.2.4a/gzexe.in
--- gzip-1.2.4a.orig/gzexe.in	2004-09-13 11:14:21.000000000 +0200
+++ gzip-1.2.4a/gzexe.in	2004-09-13 11:36:08.000000000 +0200
@@ -13,7 +13,7 @@
 # The : is required for some old versions of csh.
 # On Ultrix, /bin/sh is too buggy, change the first line to: #!/bin/sh5
 
-x=`basename $0`
+x=`basename "$0"`
 if test $# = 0; then
   echo compress executables. original file foo is renamed to foo~
   echo usage: ${x} [-d] files...
@@ -21,9 +21,6 @@
   exit 1
 fi
 
-tmp=gz$$
-trap "rm -f $tmp; exit 1" 1 2 3 5 10 13 15
-
 decomp=0
 res=0
 test "$x" = "ungzexe" && decomp=1
@@ -32,12 +29,10 @@
   shift
 fi
 
-echo hi > zfoo1$$
-echo hi > zfoo2$$
-if test -z "`(${CPMOD-cpmod} zfoo1$$ zfoo2$$) 2>&1`"; then
-  cpmod=${CPMOD-cpmod}
+cpmod=
+if type ${CPMOD:-cpmod} 2>/dev/null; then
+  cpmod=${CPMOD:-cpmod}
 fi
-rm -f zfoo[12]$$
 
 tail=""
 IFS="${IFS= 	}"; saveifs="$IFS"; IFS="${IFS}:"
@@ -75,9 +70,14 @@
     continue
   fi
   case "`basename $i`" in
-  gzip | tail | chmod | ln | sleep | rm)
+  bash | chmod | gzip | ln | mktemp | rm | sed | sh | tail)
 	echo "${x}: $i would depend on itself"; continue ;;
   esac
+
+  tmp=`/bin/mktemp -t gzexe.XXXXXXXXXX` || exit 1
+  trap "rm -f $tmp; exit 1" HUP INT QUIT PIPE TERM
+  trap "rm -f $tmp; exit 0" EXIT
+
   if test -z "$cpmod"; then
     cp -p "$i" $tmp 2>/dev/null || cp "$i" $tmp
     if test -w $tmp 2>/dev/null; then
@@ -128,6 +128,7 @@
       :
     else
       echo ${x}: $i probably not in gzexe format, file unchanged.
+      rm -f $tmp
       res=1
       continue
     fi
diff -ur gzip-1.2.4a.orig/zdiff.in gzip-1.2.4a/zdiff.in
--- gzip-1.2.4a.orig/zdiff.in	1993-08-17 00:32:16.000000000 +0200
+++ gzip-1.2.4a/zdiff.in	2004-09-13 11:32:22.000000000 +0200
@@ -47,10 +47,11 @@
                 case "$2" in
 	        *[-.]gz* | *[-.][zZ] | *.t[ga]z)
 			F=`echo "$2" | sed 's|.*/||;s|[-.][zZtga]*||'`
-                        gzip -cdfq "$2" > /tmp/"$F".$$
-                        gzip -cdfq "$1" | $comp $OPTIONS - /tmp/"$F".$$
+                        TF="`/bin/mktemp -t "$F".XXXXXX`" || exit 1
+                        gzip -cdfq "$2" > "$TF"
+                        gzip -cdfq "$1" | $comp $OPTIONS - "$TF"
                         STAT="$?"
-			/bin/rm -f /tmp/"$F".$$;;
+			/bin/rm -f "$TF";;
 
                 *)      gzip -cdfq "$1" | $comp $OPTIONS - "$2"
                         STAT="$?";;
diff -ur gzip-1.2.4a.orig/znew.in gzip-1.2.4a/znew.in
--- gzip-1.2.4a.orig/znew.in	1993-06-23 10:00:25.000000000 +0200
+++ gzip-1.2.4a/znew.in	2004-09-13 11:35:39.000000000 +0200
@@ -14,28 +14,30 @@
 # block is the disk block size (best guess, need not be exact)
 
 warn="(does not preserve modes and timestamp)"
-tmp=/tmp/zfoo.$$
-echo hi > $tmp.1
-echo hi > $tmp.2
-if test -z "`(${CPMOD-cpmod} $tmp.1 $tmp.2) 2>&1`"; then
-  cpmod=${CPMOD-cpmod}
+cpmod=
+cpmodarg=
+if type ${CPMOD:-cpmod} 2>/dev/null; then
+  cpmod=${CPMOD:-cpmod}
   warn=""
 fi
 
-if test -z "$cpmod" && ${TOUCH-touch} -r $tmp.1 $tmp.2 2>/dev/null; then
-  cpmod="${TOUCH-touch}"
+if test -z "$cpmod"; then
+  cpmod=touch
   cpmodarg="-r"
   warn="(does not preserve file modes)"
 fi
 
 # check if GZIP env. variable uses -S or --suffix
-gzip -q $tmp.1
-ext=`echo $tmp.1* | sed "s|$tmp.1||"`
-rm -f $tmp.[12]*
-if test -z "$ext"; then
-  echo znew: error determining gzip extension
-  exit 1
-fi
+case "$GZIP" in
+  *-S*) ext=`echo "$GZIP" | sed 's/^.*-S[[:space:]]*$[^[:space:]]*$.*$/\1/'`
+       ;;
+  *--suffix=*) ext=`echo "$GZIP" | sed 's/^.*--suffix=$[^[:space:]]*$.*$/\1/'`
+       ;;
+  *--suffix*) ext=`echo "$GZIP" | sed 's/^.*--suffix[[:space:]][[:space:]]*$[^[:space:]]*$.*$/\1/'`
+       ;;
+  *) ext='.gz'
+       ;;
+esac
 if test "$ext" = ".Z"; then
   echo znew: cannot use .Z as gzip extension.
   exit 1

--w5er4h4/Yf2qR8D9
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: attachment; filename="patch.CAN-2004-0970.gzip"

diff -u gzip-1.3.2/gzexe.in gzip-1.3.2/gzexe.in
--- gzip-1.3.2/gzexe.in
+++ gzip-1.3.2/gzexe.in
@@ -13,7 +13,7 @@
 # The : is required for some old versions of csh.
 # On Ultrix, /bin/sh is too buggy, change the first line to: #!/bin/sh5
 
-x=`basename $0`
+x=`basename "$0"`
 if test $# = 0; then
   echo compress executables. original file foo is renamed to foo~
   echo usage: ${x} [-d] files...
@@ -21,9 +21,6 @@
   exit 1
 fi
 
-tmp=gz$$
-trap "rm -f $tmp; exit 1" 1 2 3 5 10 13 15
-
 decomp=0
 res=0
 test "$x" = "ungzexe" && decomp=1
@@ -32,12 +29,10 @@
   shift
 fi
 
-echo hi > zfoo1$$
-echo hi > zfoo2$$
-if test -z "`(${CPMOD-cpmod} zfoo1$$ zfoo2$$) 2>&1`"; then
-  cpmod=${CPMOD-cpmod}
+cpmod=
+if type ${CPMOD:-cpmod} 2>/dev/null; then
+  cpmod=${CPMOD:-cpmod}
 fi
-rm -f zfoo[12]$$
 
 tail=""
 IFS="${IFS= 	}"; saveifs="$IFS"; IFS="${IFS}:"
@@ -75,9 +70,14 @@
     continue
   fi
   case "`basename $i`" in
-  gzip | tail | chmod | ln | sleep | rm)
+  bash | chmod | gzip | ln | mktemp | rm | sed | sh | tail)
 	echo "${x}: $i would depend on itself"; continue ;;
   esac
+
+  tmp=`/bin/mktemp -t gzexe.XXXXXXXXXX` || exit 1
+  trap "rm -f $tmp; exit 1" HUP INT QUIT PIPE TERM
+  trap "rm -f $tmp; exit 0" EXIT
+
   if test -z "$cpmod"; then
     cp -p "$i" $tmp 2>/dev/null || cp "$i" $tmp
     if test -w $tmp 2>/dev/null; then
@@ -129,6 +129,7 @@
       :
     else
       echo ${x}: $i probably not in gzexe format, file unchanged.
+      rm -f $tmp
       res=1
       continue
     fi
diff -u gzip-1.3.2/znew.in gzip-1.3.2/znew.in
--- gzip-1.3.2/znew.in
+++ gzip-1.3.2/znew.in
@@ -14,29 +14,30 @@
 # block is the disk block size (best guess, need not be exact)
 
 warn="(does not preserve modes and timestamp)"
-tmp=/tmp/zfoo.$$
-set -C
-echo hi > $tmp.1 || exit 1
-echo hi > $tmp.2 || exit 1
-if test -z "`(${CPMOD-cpmod} $tmp.1 $tmp.2) 2>&1`"; then
-  cpmod=${CPMOD-cpmod}
+cpmod=
+cpmodarg=
+if type ${CPMOD:-cpmod} 2>/dev/null; then
+  cpmod=${CPMOD:-cpmod}
   warn=""
 fi
 
-if test -z "$cpmod" && ${TOUCH-touch} -r $tmp.1 $tmp.2 2>/dev/null; then
-  cpmod="${TOUCH-touch}"
+if test -z "$cpmod" && ${TOUCH:-touch} -r $tmp.1 $tmp.2 2>/dev/null; then
+  cpmod="${TOUCH:-touch}"
   cpmodarg="-r"
   warn="(does not preserve file modes)"
 fi
 
 # check if GZIP env. variable uses -S or --suffix
-gzip -q $tmp.1
-ext=`echo $tmp.1* | sed "s|$tmp.1||"`
-rm -f $tmp.[12]*
-if test -z "$ext"; then
-  echo znew: error determining gzip extension
-  exit 1
-fi
+case "$GZIP" in
+  *-S*) ext=`echo "$GZIP" | sed 's/^.*-S[[:space:]]*$[^[:space:]]*$.*$/\1/'`
+       ;;
+  *--suffix=*) ext=`echo "$GZIP" | sed 's/^.*--suffix=$[^[:space:]]*$.*$/\1/'`
+       ;;
+  *--suffix*) ext=`echo "$GZIP" | sed 's/^.*--suffix[[:space:]][[:space:]]*$[^[:space:]]*$.*$/\1/'`
+       ;;
+  *) ext='.gz'
+       ;;
+esac
 if test "$ext" = ".Z"; then
   echo znew: cannot use .Z as gzip extension.
   exit 1
diff -u gzip-1.3.2/debian/changelog gzip-1.3.2/debian/changelog
--- gzip-1.3.2/debian/changelog
+++ gzip-1.3.2/debian/changelog
@@ -1,3 +1,11 @@
+gzip (1.3.2-3woody2) stable-security; urgency=high
+
+  * Non-maintainer upload by the Security Team
+  * Applied Trustix patch to correct insecure temporary file use in zdiff
+    and znew [zdiff.in, znew.in, CAN-2004-0970, Bugtraq Id 11288]
+
+ -- Martin Schulze <joey@infodrom.org>  Sun, 31 Oct 2004 20:02:13 +0100
+
 gzip (1.3.2-3woody1) stable-security; urgency=high
 
   * Non-maintainer upload by the Security Team
only in patch2:
unchanged:
--- gzip-1.3.2.orig/zdiff.in
+++ gzip-1.3.2/zdiff.in
@@ -46,12 +46,12 @@
                 case "$2" in
 	        *[-.]gz* | *[-.][zZ] | *.t[ga]z)
 			F=`echo "$2" | sed 's|.*/||;s|[-.][zZtga]*||'`
-			set -C
-			trap 'rm -f /tmp/"$F".$$; exit 2' 1 2 13 15 0
-			gzip -cdfq "$2" > /tmp/"$F".$$ || exit
-                        gzip -cdfq "$1" | $comp $OPTIONS - /tmp/"$F".$$
+                        TF="`/bin/mktemp -t "$F".XXXXXX`" || exit 1
+                        trap "rm -f $TF; exit 2" 1 2 13 15 0
+			gzip -cdfq "$2" > "$TF" || exit
+			gzip -cdfq "$1" | $comp $OPTIONS - "$TF"
                         STAT="$?"
-			/bin/rm -f /tmp/"$F".$$ || STAT=2
+			/bin/rm -f $TF || STAT=2
 			trap 1 2 13 15 0
 			exit $STAT;;

--w5er4h4/Yf2qR8D9--

Revision history for this message

Martin Pitt (pitti) wrote on 2004-11-02:

#3

interdiff for security update 1.3.5-9ubuntu3.1 Edit (4.1 KiB, text/plain)

Created an attachment (id=670)
interdiff for security update 1.3.5-9ubuntu3.1

I did not completely used the proposed patch, because I think that some parts
are broken.

Revision history for this message

Martin Pitt (pitti) wrote on 2004-11-02:

#4

Same fix for Warty and Hoary, can be uploaded at any time.

Proposed advisory detail text:

Recently, Trustix Secure Linux discovered some vulnerabilities in the
gzip package. The programs "znew", "zdiff", and "gzexe" created
temporary files in an insecure way, which allowed a symlink attack to
create or overwrite arbitrary files with the privileges of the user
invoking the program.

Revision history for this message

Martin Pitt (pitti) wrote on 2004-11-02:

#5

Argh, since the scripts run with noclobber ("set -C"), this is actually a
non-issue. Thanks to Matt for pointing me at this.

Revision history for this message

In Debian Bug tracker #279208, Bdale Garbee (bdale) wrote on 2004-11-03: set -C

#6

This is a duplicate of #278277, which mdz closed as not being a problem for
Debian because of the use of 'set -C' in these scripts, which prevents
truncation of existing files during redirection.

Closing this one with no action taken on the same justification.

Bdale

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2004-11-03:

#7

Message-ID: <email address hidden>
Date: Wed, 03 Nov 2004 09:32:22 -0700
From: Bdale Garbee <email address hidden>
To: <email address hidden>
Subject: set -C

This is a duplicate of #278277, which mdz closed as not being a problem for
Debian because of the use of 'set -C' in these scripts, which prevents
truncation of existing files during redirection.

Closing this one with no action taken on the same justification.

Bdale

Bug Watch Updater (bug-watch-updater) on 2006-09-27

Changed in gzip:
status:	Unknown → Fix Released

Affects		Status	Importance	Assigned to	Milestone
	gzip (Debian)	Fix Released	Unknown	debbugs #279208
	gzip (Ubuntu)	Invalid	High	Martin Pitt

Ubuntu
gzip package

CAN-2004-0970: Insecure temporary files

Bug Description

CVE References

Other bug subscribers

Patches

Remote bug watches

Ubuntugzip package

CAN-2004-0970: Insecure temporary files

Bug Description

CVE References

Other bug subscribers

Patches

Remote bug watches

Ubuntu
gzip package