Ubuntu
gzip package

Bug #9811
Comment #2

Comment 2 for bug 9811

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2004-11-01:

Message-ID: <email address hidden>
Date: Mon, 1 Nov 2004 14:20:09 +0100
From: Martin Schulze <email address hidden>
To: <email address hidden>
Subject: CAN-2004-0970: Insecure temporary files

--w5er4h4/Yf2qR8D9
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline

Package: gzip
Version: 1.3.5-9
Severity: grave
Tags: sarge, sid, security, patch

Trustix developers discovered insecure temporary file creation in
supplemental scripts in the gzip package that can allows local users
to overwrite files via a symlink attack.

Please let me know which version fixes these problems in sid/sarge
while I take care of the package in woody.

I'm attaching the patch from Trustix and the patch I'm using for the
package in woody.

Regards,

Joey

--
This is GNU/Linux Country. On a quiet night, you can hear Windows reboot.

Please always Cc to me when replying to me on the lists.

--w5er4h4/Yf2qR8D9
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: attachment; filename="gzip-1.2.4-tempfile.patch"

-x=`basename $0`
+x=`basename "$0"`
if test $# = 0; then
   echo compress executables. original file foo is renamed to foo~
   echo usage: ${x} [-d] files...
@@ -21,9 +21,6 @@
   exit 1
fi

-tmp=gz$$
-trap "rm -f $tmp; exit 1" 1 2 3 5 10 13 15
-
decomp=0
res=0
test "$x" = "ungzexe" && decomp=1
@@ -32,12 +29,10 @@
shift
fi

-echo hi > zfoo1$$
-echo hi > zfoo2$$
-if test -z "`(${CPMOD-cpmod} zfoo1$$ zfoo2$$) 2>&1`"; then
- cpmod=${CPMOD-cpmod}
+cpmod=
+if type ${CPMOD:-cpmod} 2>/dev/null; then
+ cpmod=${CPMOD:-cpmod}
fi
-rm -f zfoo[12]$$

tail=""
IFS="${IFS= }"; saveifs="$IFS"; IFS="${IFS}:"
@@ -75,9 +70,14 @@
     continue
   fi
   case "`basename $i`" in
- gzip | tail | chmod | ln | sleep | rm)
+ bash | chmod | gzip | ln | mktemp | rm | sed | sh | tail)
  echo "${x}: $i would depend on itself"; continue ;;
   esac
+
+ tmp=`/bin/mktemp -t gzexe.XXXXXXXXXX` || exit 1
+ trap "rm -f $tmp; exit 1" HUP INT QUIT PIPE TERM
+ trap "rm -f $tmp; exit 0" EXIT
+
   if test -z "$cpmod"; then
     cp -p "$i" $tmp 2>/dev/null || cp "$i" $tmp
     if test -w $tmp 2>/dev/null; then
@@ -128,6 +128,7 @@
       :
     else
       echo ${x}: $i probably not in gzexe format, file unchanged.
+ rm -f $tmp
       res=1
       continue
     fi
diff -ur gzip-1.2.4a.orig/zdiff.in gzip-1.2.4a/zdiff.in
--- gzip-1.2.4a.orig/zdiff.in 1993-08-17 00:32:16.000000000 +0200
+++ gzip-1.2.4a/zdiff.in 2004-09-13 11:32:22.000000000 +0200
@@ -47,10 +47,11 @@
                 case "$2" in
          *[-.]gz* | *[-.][zZ] | *.t[ga]z)
    F=`echo "$2" | sed 's|.*/||;s|[-.][zZtga]*||'`
- gzip -cdfq "$2" > /tmp/"$F".$$
- gzip -cdfq "$1" | $comp $OPTIONS - /tmp/"$F".$$
+ TF="`/bin/mktemp -t "$F".XXXXXX`" || exit 1
+ gzip -cdfq "$2" > "$TF"
+ gzip -cdfq "$1" | $comp $OPTIONS - "$TF"
                         STAT="$?"
- /bin/rm -f /tmp/"$F".$$;;
+ /bin/rm -f "$TF";;

*) gzip -cdfq "$1" | $comp $OPTIONS - "$2"
STAT="$?";;
diff -ur gzip-1.2.4a.orig/znew.in gzip-1.2.4a/znew.in
--- gzip-1.2.4a.orig/znew.in 1993-06-23 10:00:25.000000000 +0200
+++ gzip-1.2.4a/znew.in 2004-09-13 11:35:39.000000000 +0200
@@ -14,28 +14,30 @@
# block is the disk block size (best guess, need not be exact)

warn="(does not preserve modes and timestamp)"
-tmp=/tmp/zfoo.$$
-echo hi > $tmp.1
-echo hi > $tmp.2
-if test -z "`(${CPMOD-cpmod} $tmp.1 $tmp.2) 2>&1`"; then
- cpmod=${CPMOD-cpmod}
+cpmod=
+cpmodarg=
+if type ${CPMOD:-cpmod} 2>/dev/null; then
+ cpmod=${CPMOD:-cpmod}
warn=""
fi

-if test -z "$cpmod" && ${TOUCH-touch} -r $tmp.1 $tmp.2 2>/dev/null; then
- cpmod="${TOUCH-touch}"
+if test -z "$cpmod"; then
+ cpmod=touch
cpmodarg="-r"
warn="(does not preserve file modes)"
fi

--w5er4h4/Yf2qR8D9
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: attachment; filename="patch.CAN-2004-0970.gzip"

-x=`basename $0`
+x=`basename "$0"`
if test $# = 0; then
   echo compress executables. original file foo is renamed to foo~
   echo usage: ${x} [-d] files...
@@ -21,9 +21,6 @@
   exit 1
fi

-tmp=gz$$
-trap "rm -f $tmp; exit 1" 1 2 3 5 10 13 15
-
decomp=0
res=0
test "$x" = "ungzexe" && decomp=1
@@ -32,12 +29,10 @@
shift
fi

warn="(does not preserve modes and timestamp)"
-tmp=/tmp/zfoo.$$
-set -C
-echo hi > $tmp.1 || exit 1
-echo hi > $tmp.2 || exit 1
-if test -z "`(${CPMOD-cpmod} $tmp.1 $tmp.2) 2>&1`"; then
- cpmod=${CPMOD-cpmod}
+cpmod=
+cpmodarg=
+if type ${CPMOD:-cpmod} 2>/dev/null; then
+ cpmod=${CPMOD:-cpmod}
warn=""
fi

-if test -z "$cpmod" && ${TOUCH-touch} -r $tmp.1 $tmp.2 2>/dev/null; then
- cpmod="${TOUCH-touch}"
+if test -z "$cpmod" && ${TOUCH:-touch} -r $tmp.1 $tmp.2 2>/dev/null; then
+ cpmod="${TOUCH:-touch}"
cpmodarg="-r"
warn="(does not preserve file modes)"
fi

# check if GZIP env. variable uses -S or --suffix
-gzip -q $tmp.1
-ext=`echo $tmp.1* | sed "s|$tmp.1||"`
-rm -f $tmp.[12]*
-if test -z "$ext"; then
- echo znew: error determining gzip extension
- exit 1
-fi
+case "$GZIP" in
+ *-S*) ext=`echo "$GZIP" | sed 's/^.*-S[[:space:]]*$[^[:space:]]*$.*$/\1/'`
+ ;;
+ *--suffix=*) ext=`echo "$GZIP" | sed 's/^.*--suffix=$[^[:space:]]*$.*$/\1/'`
+ ;;
+ *--suffix*) ext=`echo "$GZIP" | sed 's/^.*--suffix[[:space:]][[:space:]]*$[^[:space:]]*$.*$/\1/'`
+ ;;
+ *) ext='.gz'
+ ;;
+esac
if test "$ext" = ".Z"; then
echo znew: cannot use .Z as gzip extension.
exit 1
diff -u gzip-1.3.2/debian/changelog gzip-1.3.2/debian/changelog
--- gzip-1.3.2/debian/changelog
+++ gzip-1.3.2/debian/changelog
@@ -1,3 +1,11 @@
+gzip (1.3.2-3woody2) stable-security; urgency=high
+
+ * Non-maintainer upload by the Security Team
+ * Applied Trustix patch to correct insecure temporary file use in zdiff
+ and znew [zdiff.in, znew.in, CAN-2004-0970, Bugtraq Id 11288]
+
+ -- Martin Schulze <email address hidden> Sun, 31 Oct 2004 20:02:13 +0100
+
gzip (1.3.2-3woody1) stable-security; urgency=high

   * Non-maintainer upload by the Security Team
only in patch2:
unchanged:
--- gzip-1.3.2.orig/zdiff.in
+++ gzip-1.3.2/zdiff.in
@@ -46,12 +46,12 @@
                 case "$2" in
          *[-.]gz* | *[-.][zZ] | *.t[ga]z)
    F=`echo "$2" | sed 's|.*/||;s|[-.][zZtga]*||'`
- set -C
- trap 'rm -f /tmp/"$F".$$; exit 2' 1 2 13 15 0
- gzip -cdfq "$2" > /tmp/"$F".$$ || exit
- gzip -cdfq "$1" | $comp $OPTIONS - /tmp/"$F".$$
+ TF="`/bin/mktemp -t "$F".XXXXXX`" || exit 1
+ trap "rm -f $TF; exit 2" 1 2 13 15 0
+ gzip -cdfq "$2" > "$TF" || exit
+ gzip -cdfq "$1" | $comp $OPTIONS - "$TF"
                         STAT="$?"
- /bin/rm -f /tmp/"$F".$$ || STAT=2
+ /bin/rm -f $TF || STAT=2
    trap 1 2 13 15 0
    exit $STAT;;

--w5er4h4/Yf2qR8D9--

Message-ID: <20041101132009.GU7329@finlandia.infodrom.north.de>
Date: Mon, 1 Nov 2004 14:20:09 +0100
From: Martin Schulze <joey@infodrom.org>
To: submit@bugs.debian.org
Subject: CAN-2004-0970: Insecure temporary files

--w5er4h4/Yf2qR8D9
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline

Package: gzip
Version: 1.3.5-9
Severity: grave
Tags: sarge, sid, security, patch

Trustix developers discovered insecure temporary file creation in
supplemental scripts in the gzip package that can allows local users
to overwrite files via a symlink attack.

Please let me know which version fixes these problems in sid/sarge
while I take care of the package in woody.

I'm attaching the patch from Trustix and the patch I'm using for the
package in woody.

Regards,

Joey

-- 
This is GNU/Linux Country.  On a quiet night, you can hear Windows reboot.

Please always Cc to me when replying to me on the lists.

--w5er4h4/Yf2qR8D9
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: attachment; filename="gzip-1.2.4-tempfile.patch"

diff -ur gzip-1.2.4a.orig/gzexe.in gzip-1.2.4a/gzexe.in
--- gzip-1.2.4a.orig/gzexe.in	2004-09-13 11:14:21.000000000 +0200
+++ gzip-1.2.4a/gzexe.in	2004-09-13 11:36:08.000000000 +0200
@@ -13,7 +13,7 @@
 # The : is required for some old versions of csh.
 # On Ultrix, /bin/sh is too buggy, change the first line to: #!/bin/sh5
 
-x=`basename $0`
+x=`basename "$0"`
 if test $# = 0; then
   echo compress executables. original file foo is renamed to foo~
   echo usage: ${x} [-d] files...
@@ -21,9 +21,6 @@
   exit 1
 fi
 
-tmp=gz$$
-trap "rm -f $tmp; exit 1" 1 2 3 5 10 13 15
-
 decomp=0
 res=0
 test "$x" = "ungzexe" && decomp=1
@@ -32,12 +29,10 @@
   shift
 fi
 
-echo hi > zfoo1$$
-echo hi > zfoo2$$
-if test -z "`(${CPMOD-cpmod} zfoo1$$ zfoo2$$) 2>&1`"; then
-  cpmod=${CPMOD-cpmod}
+cpmod=
+if type ${CPMOD:-cpmod} 2>/dev/null; then
+  cpmod=${CPMOD:-cpmod}
 fi
-rm -f zfoo[12]$$
 
 tail=""
 IFS="${IFS= 	}"; saveifs="$IFS"; IFS="${IFS}:"
@@ -75,9 +70,14 @@
     continue
   fi
   case "`basename $i`" in
-  gzip | tail | chmod | ln | sleep | rm)
+  bash | chmod | gzip | ln | mktemp | rm | sed | sh | tail)
 	echo "${x}: $i would depend on itself"; continue ;;
   esac
+
+  tmp=`/bin/mktemp -t gzexe.XXXXXXXXXX` || exit 1
+  trap "rm -f $tmp; exit 1" HUP INT QUIT PIPE TERM
+  trap "rm -f $tmp; exit 0" EXIT
+
   if test -z "$cpmod"; then
     cp -p "$i" $tmp 2>/dev/null || cp "$i" $tmp
     if test -w $tmp 2>/dev/null; then
@@ -128,6 +128,7 @@
       :
     else
       echo ${x}: $i probably not in gzexe format, file unchanged.
+      rm -f $tmp
       res=1
       continue
     fi
diff -ur gzip-1.2.4a.orig/zdiff.in gzip-1.2.4a/zdiff.in
--- gzip-1.2.4a.orig/zdiff.in	1993-08-17 00:32:16.000000000 +0200
+++ gzip-1.2.4a/zdiff.in	2004-09-13 11:32:22.000000000 +0200
@@ -47,10 +47,11 @@
                 case "$2" in
 	        *[-.]gz* | *[-.][zZ] | *.t[ga]z)
 			F=`echo "$2" | sed 's|.*/||;s|[-.][zZtga]*||'`
-                        gzip -cdfq "$2" > /tmp/"$F".$$
-                        gzip -cdfq "$1" | $comp $OPTIONS - /tmp/"$F".$$
+                        TF="`/bin/mktemp -t "$F".XXXXXX`" || exit 1
+                        gzip -cdfq "$2" > "$TF"
+                        gzip -cdfq "$1" | $comp $OPTIONS - "$TF"
                         STAT="$?"
-			/bin/rm -f /tmp/"$F".$$;;
+			/bin/rm -f "$TF";;
 
                 *)      gzip -cdfq "$1" | $comp $OPTIONS - "$2"
                         STAT="$?";;
diff -ur gzip-1.2.4a.orig/znew.in gzip-1.2.4a/znew.in
--- gzip-1.2.4a.orig/znew.in	1993-06-23 10:00:25.000000000 +0200
+++ gzip-1.2.4a/znew.in	2004-09-13 11:35:39.000000000 +0200
@@ -14,28 +14,30 @@
 # block is the disk block size (best guess, need not be exact)
 
 warn="(does not preserve modes and timestamp)"
-tmp=/tmp/zfoo.$$
-echo hi > $tmp.1
-echo hi > $tmp.2
-if test -z "`(${CPMOD-cpmod} $tmp.1 $tmp.2) 2>&1`"; then
-  cpmod=${CPMOD-cpmod}
+cpmod=
+cpmodarg=
+if type ${CPMOD:-cpmod} 2>/dev/null; then
+  cpmod=${CPMOD:-cpmod}
   warn=""
 fi
 
-if test -z "$cpmod" && ${TOUCH-touch} -r $tmp.1 $tmp.2 2>/dev/null; then
-  cpmod="${TOUCH-touch}"
+if test -z "$cpmod"; then
+  cpmod=touch
   cpmodarg="-r"
   warn="(does not preserve file modes)"
 fi
 
 # check if GZIP env. variable uses -S or --suffix
-gzip -q $tmp.1
-ext=`echo $tmp.1* | sed "s|$tmp.1||"`
-rm -f $tmp.[12]*
-if test -z "$ext"; then
-  echo znew: error determining gzip extension
-  exit 1
-fi
+case "$GZIP" in
+  *-S*) ext=`echo "$GZIP" | sed 's/^.*-S[[:space:]]*$[^[:space:]]*$.*$/\1/'`
+       ;;
+  *--suffix=*) ext=`echo "$GZIP" | sed 's/^.*--suffix=$[^[:space:]]*$.*$/\1/'`
+       ;;
+  *--suffix*) ext=`echo "$GZIP" | sed 's/^.*--suffix[[:space:]][[:space:]]*$[^[:space:]]*$.*$/\1/'`
+       ;;
+  *) ext='.gz'
+       ;;
+esac
 if test "$ext" = ".Z"; then
   echo znew: cannot use .Z as gzip extension.
   exit 1

--w5er4h4/Yf2qR8D9
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: attachment; filename="patch.CAN-2004-0970.gzip"

diff -u gzip-1.3.2/gzexe.in gzip-1.3.2/gzexe.in
--- gzip-1.3.2/gzexe.in
+++ gzip-1.3.2/gzexe.in
@@ -13,7 +13,7 @@
 # The : is required for some old versions of csh.
 # On Ultrix, /bin/sh is too buggy, change the first line to: #!/bin/sh5
 
-x=`basename $0`
+x=`basename "$0"`
 if test $# = 0; then
   echo compress executables. original file foo is renamed to foo~
   echo usage: ${x} [-d] files...
@@ -21,9 +21,6 @@
   exit 1
 fi
 
-tmp=gz$$
-trap "rm -f $tmp; exit 1" 1 2 3 5 10 13 15
-
 decomp=0
 res=0
 test "$x" = "ungzexe" && decomp=1
@@ -32,12 +29,10 @@
   shift
 fi
 
-echo hi > zfoo1$$
-echo hi > zfoo2$$
-if test -z "`(${CPMOD-cpmod} zfoo1$$ zfoo2$$) 2>&1`"; then
-  cpmod=${CPMOD-cpmod}
+cpmod=
+if type ${CPMOD:-cpmod} 2>/dev/null; then
+  cpmod=${CPMOD:-cpmod}
 fi
-rm -f zfoo[12]$$
 
 tail=""
 IFS="${IFS= 	}"; saveifs="$IFS"; IFS="${IFS}:"
@@ -75,9 +70,14 @@
     continue
   fi
   case "`basename $i`" in
-  gzip | tail | chmod | ln | sleep | rm)
+  bash | chmod | gzip | ln | mktemp | rm | sed | sh | tail)
 	echo "${x}: $i would depend on itself"; continue ;;
   esac
+
+  tmp=`/bin/mktemp -t gzexe.XXXXXXXXXX` || exit 1
+  trap "rm -f $tmp; exit 1" HUP INT QUIT PIPE TERM
+  trap "rm -f $tmp; exit 0" EXIT
+
   if test -z "$cpmod"; then
     cp -p "$i" $tmp 2>/dev/null || cp "$i" $tmp
     if test -w $tmp 2>/dev/null; then
@@ -129,6 +129,7 @@
       :
     else
       echo ${x}: $i probably not in gzexe format, file unchanged.
+      rm -f $tmp
       res=1
       continue
     fi
diff -u gzip-1.3.2/znew.in gzip-1.3.2/znew.in
--- gzip-1.3.2/znew.in
+++ gzip-1.3.2/znew.in
@@ -14,29 +14,30 @@
 # block is the disk block size (best guess, need not be exact)
 
 warn="(does not preserve modes and timestamp)"
-tmp=/tmp/zfoo.$$
-set -C
-echo hi > $tmp.1 || exit 1
-echo hi > $tmp.2 || exit 1
-if test -z "`(${CPMOD-cpmod} $tmp.1 $tmp.2) 2>&1`"; then
-  cpmod=${CPMOD-cpmod}
+cpmod=
+cpmodarg=
+if type ${CPMOD:-cpmod} 2>/dev/null; then
+  cpmod=${CPMOD:-cpmod}
   warn=""
 fi
 
-if test -z "$cpmod" && ${TOUCH-touch} -r $tmp.1 $tmp.2 2>/dev/null; then
-  cpmod="${TOUCH-touch}"
+if test -z "$cpmod" && ${TOUCH:-touch} -r $tmp.1 $tmp.2 2>/dev/null; then
+  cpmod="${TOUCH:-touch}"
   cpmodarg="-r"
   warn="(does not preserve file modes)"
 fi
 
 # check if GZIP env. variable uses -S or --suffix
-gzip -q $tmp.1
-ext=`echo $tmp.1* | sed "s|$tmp.1||"`
-rm -f $tmp.[12]*
-if test -z "$ext"; then
-  echo znew: error determining gzip extension
-  exit 1
-fi
+case "$GZIP" in
+  *-S*) ext=`echo "$GZIP" | sed 's/^.*-S[[:space:]]*$[^[:space:]]*$.*$/\1/'`
+       ;;
+  *--suffix=*) ext=`echo "$GZIP" | sed 's/^.*--suffix=$[^[:space:]]*$.*$/\1/'`
+       ;;
+  *--suffix*) ext=`echo "$GZIP" | sed 's/^.*--suffix[[:space:]][[:space:]]*$[^[:space:]]*$.*$/\1/'`
+       ;;
+  *) ext='.gz'
+       ;;
+esac
 if test "$ext" = ".Z"; then
   echo znew: cannot use .Z as gzip extension.
   exit 1
diff -u gzip-1.3.2/debian/changelog gzip-1.3.2/debian/changelog
--- gzip-1.3.2/debian/changelog
+++ gzip-1.3.2/debian/changelog
@@ -1,3 +1,11 @@
+gzip (1.3.2-3woody2) stable-security; urgency=high
+
+  * Non-maintainer upload by the Security Team
+  * Applied Trustix patch to correct insecure temporary file use in zdiff
+    and znew [zdiff.in, znew.in, CAN-2004-0970, Bugtraq Id 11288]
+
+ -- Martin Schulze <joey@infodrom.org>  Sun, 31 Oct 2004 20:02:13 +0100
+
 gzip (1.3.2-3woody1) stable-security; urgency=high
 
   * Non-maintainer upload by the Security Team
only in patch2:
unchanged:
--- gzip-1.3.2.orig/zdiff.in
+++ gzip-1.3.2/zdiff.in
@@ -46,12 +46,12 @@
                 case "$2" in
 	        *[-.]gz* | *[-.][zZ] | *.t[ga]z)
 			F=`echo "$2" | sed 's|.*/||;s|[-.][zZtga]*||'`
-			set -C
-			trap 'rm -f /tmp/"$F".$$; exit 2' 1 2 13 15 0
-			gzip -cdfq "$2" > /tmp/"$F".$$ || exit
-                        gzip -cdfq "$1" | $comp $OPTIONS - /tmp/"$F".$$
+                        TF="`/bin/mktemp -t "$F".XXXXXX`" || exit 1
+                        trap "rm -f $TF; exit 2" 1 2 13 15 0
+			gzip -cdfq "$2" > "$TF" || exit
+			gzip -cdfq "$1" | $comp $OPTIONS - "$TF"
                         STAT="$?"
-			/bin/rm -f /tmp/"$F".$$ || STAT=2
+			/bin/rm -f $TF || STAT=2
 			trap 1 2 13 15 0
 			exit $STAT;;

--w5er4h4/Yf2qR8D9--

Ubuntugzip package

Comment 2 for bug 9811

Ubuntu
gzip package