pbzip2 output files created with excessive access permissions before being chmodded to proper permissions

Bug #807536 reported by Jeff Gilchrist on 2011-07-08
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
pbzip2
High
Yavor Nikolov

Bug Description

This bug was reported by Andy Isaacs on on the Debian bug tracking system as bug #633087: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=633087

Copy & paste of the bug details:

"Package: pbzip2
Version: 1.1.1-1
Severity: important

while pbzip2 is writing compressed data to a file, the output file is
world-readable because my umask is 022. After completing compression
pbzip chmods the output file to the permissions of the input file.

% time pbzip2 -v big
...
     Input Size: 104857600 bytes
Compressing data...
^Z
% ls -l
...
-rw------- 1 adi adi 104857600 Jul 8 01:11 big
-rw-r--r-- 1 adi adi 8273 Jul 8 01:11 big.bz2

This can expose private data to other users of the computer if they read
the output file while it's being compressed.

The stock bzip2 program does not show this behavior (testing with bzip2
1.0.5-6).

% time bzip2 -v big
  big: ^Z
% ls -l
...
-rw------- 1 adi adi 104857600 Jul 8 01:12 big
-rw------- 1 adi adi 0 Jul 8 01:13 big.bz2"

Related branches

Changed in pbzip2:
assignee: nobody → Yavor Nikolov (yavor-nikolov)
Changed in pbzip2:
milestone: none → 1.1.5
Changed in pbzip2:
status: New → Confirmed
Yavor Nikolov (yavor-nikolov) wrote :

Issue exists both on compression and decompression.

Root cause analysis: the problem is not in umask (umask only restricts permissions but doesn't extend them) but in FILE_MODE macro definition.

summary: - pbzip2 output files created under umask before being chmodded to proper
- permissions
+ pbzip2 output files created with excessive access permissions before
+ being chmodded to proper permissions
Changed in pbzip2:
status: Confirmed → In Progress
Changed in pbzip2:
status: In Progress → Fix Committed
Changed in pbzip2:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers