Trustix developers discovered insecure temporary file creation in
supplemental scripts in the gzip package that can allows local users
to overwrite files via a symlink attack.
Please let me know which version fixes these problems in sid/sarge
while I take care of the package in woody.
I'm attaching the patch from Trustix and the patch I'm using for the
package in woody.
Regards,
Joey
--
This is GNU/Linux Country. On a quiet night, you can hear Windows reboot.
Please always Cc to me when replying to me on the lists.
diff -ur gzip-1.2.4a.orig/gzexe.in gzip-1.2.4a/gzexe.in
--- gzip-1.2.4a.orig/gzexe.in 2004-09-13 11:14:21.000000000 +0200
+++ gzip-1.2.4a/gzexe.in 2004-09-13 11:36:08.000000000 +0200
@@ -13,7 +13,7 @@
# The : is required for some old versions of csh.
# On Ultrix, /bin/sh is too buggy, change the first line to: #!/bin/sh5
-x=`basename $0`
+x=`basename "$0"`
if test $# = 0; then
echo compress executables. original file foo is renamed to foo~
echo usage: ${x} [-d] files...
@@ -21,9 +21,6 @@
exit 1
fi
-echo hi > zfoo1$$
-echo hi > zfoo2$$
-if test -z "`(${CPMOD-cpmod} zfoo1$$ zfoo2$$) 2>&1`"; then
- cpmod=${CPMOD-cpmod}
+cpmod=
+if type ${CPMOD:-cpmod} 2>/dev/null; then
+ cpmod=${CPMOD:-cpmod}
fi
-rm -f zfoo[12]$$
tail=""
IFS="${IFS= }"; saveifs="$IFS"; IFS="${IFS}:"
@@ -75,9 +70,14 @@
continue
fi
case "`basename $i`" in
- gzip | tail | chmod | ln | sleep | rm)
+ bash | chmod | gzip | ln | mktemp | rm | sed | sh | tail)
echo "${x}: $i would depend on itself"; continue ;;
esac
+
+ tmp=`/bin/mktemp -t gzexe.XXXXXXXXXX` || exit 1
+ trap "rm -f $tmp; exit 1" HUP INT QUIT PIPE TERM
+ trap "rm -f $tmp; exit 0" EXIT
+
if test -z "$cpmod"; then
cp -p "$i" $tmp 2>/dev/null || cp "$i" $tmp
if test -w $tmp 2>/dev/null; then
@@ -128,6 +128,7 @@
:
else
echo ${x}: $i probably not in gzexe format, file unchanged.
+ rm -f $tmp
res=1
continue
fi
diff -ur gzip-1.2.4a.orig/zdiff.in gzip-1.2.4a/zdiff.in
--- gzip-1.2.4a.orig/zdiff.in 1993-08-17 00:32:16.000000000 +0200
+++ gzip-1.2.4a/zdiff.in 2004-09-13 11:32:22.000000000 +0200
@@ -47,10 +47,11 @@ case "$2" in
*[-.]gz* | *[-.][zZ] | *.t[ga]z)
F=`echo "$2" | sed 's|.*/||;s|[-.][zZtga]*||'`
- gzip -cdfq "$2" > /tmp/"$F".$$
- gzip -cdfq "$1" | $comp $OPTIONS - /tmp/"$F".$$
+ TF="`/bin/mktemp -t "$F".XXXXXX`" || exit 1
+ gzip -cdfq "$2" > "$TF"
+ gzip -cdfq "$1" | $comp $OPTIONS - "$TF" STAT="$?"
- /bin/rm -f /tmp/"$F".$$;;
+ /bin/rm -f "$TF";;
*) gzip -cdfq "$1" | $comp $OPTIONS - "$2" STAT="$?";;
diff -ur gzip-1.2.4a.orig/znew.in gzip-1.2.4a/znew.in
--- gzip-1.2.4a.orig/znew.in 1993-06-23 10:00:25.000000000 +0200
+++ gzip-1.2.4a/znew.in 2004-09-13 11:35:39.000000000 +0200
@@ -14,28 +14,30 @@
# block is the disk block size (best guess, need not be exact)
warn="(does not preserve modes and timestamp)"
-tmp=/tmp/zfoo.$$
-echo hi > $tmp.1
-echo hi > $tmp.2
-if test -z "`(${CPMOD-cpmod} $tmp.1 $tmp.2) 2>&1`"; then
- cpmod=${CPMOD-cpmod}
+cpmod=
+cpmodarg=
+if type ${CPMOD:-cpmod} 2>/dev/null; then
+ cpmod=${CPMOD:-cpmod}
warn=""
fi
-if test -z "$cpmod" && ${TOUCH-touch} -r $tmp.1 $tmp.2 2>/dev/null; then
- cpmod="${TOUCH-touch}"
+if test -z "$cpmod"; then
+ cpmod=touch
cpmodarg="-r"
warn="(does not preserve file modes)"
fi
# check if GZIP env. variable uses -S or --suffix
-gzip -q $tmp.1
-ext=`echo $tmp.1* | sed "s|$tmp.1||"`
-rm -f $tmp.[12]*
-if test -z "$ext"; then
- echo znew: error determining gzip extension
- exit 1
-fi
+case "$GZIP" in
+ *-S*) ext=`echo "$GZIP" | sed 's/^.*-S[[:space:]]*\([^[:space:]]*\).*$/\1/'`
+ ;;
+ *--suffix=*) ext=`echo "$GZIP" | sed 's/^.*--suffix=\([^[:space:]]*\).*$/\1/'`
+ ;;
+ *--suffix*) ext=`echo "$GZIP" | sed 's/^.*--suffix[[:space:]][[:space:]]*\([^[:space:]]*\).*$/\1/'`
+ ;;
+ *) ext='.gz'
+ ;;
+esac
if test "$ext" = ".Z"; then
echo znew: cannot use .Z as gzip extension.
exit 1
diff -u gzip-1.3.2/gzexe.in gzip-1.3.2/gzexe.in
--- gzip-1.3.2/gzexe.in
+++ gzip-1.3.2/gzexe.in
@@ -13,7 +13,7 @@
# The : is required for some old versions of csh.
# On Ultrix, /bin/sh is too buggy, change the first line to: #!/bin/sh5
-x=`basename $0`
+x=`basename "$0"`
if test $# = 0; then
echo compress executables. original file foo is renamed to foo~
echo usage: ${x} [-d] files...
@@ -21,9 +21,6 @@
exit 1
fi
-echo hi > zfoo1$$
-echo hi > zfoo2$$
-if test -z "`(${CPMOD-cpmod} zfoo1$$ zfoo2$$) 2>&1`"; then
- cpmod=${CPMOD-cpmod}
+cpmod=
+if type ${CPMOD:-cpmod} 2>/dev/null; then
+ cpmod=${CPMOD:-cpmod}
fi
-rm -f zfoo[12]$$
tail=""
IFS="${IFS= }"; saveifs="$IFS"; IFS="${IFS}:"
@@ -75,9 +70,14 @@
continue
fi
case "`basename $i`" in
- gzip | tail | chmod | ln | sleep | rm)
+ bash | chmod | gzip | ln | mktemp | rm | sed | sh | tail)
echo "${x}: $i would depend on itself"; continue ;;
esac
+
+ tmp=`/bin/mktemp -t gzexe.XXXXXXXXXX` || exit 1
+ trap "rm -f $tmp; exit 1" HUP INT QUIT PIPE TERM
+ trap "rm -f $tmp; exit 0" EXIT
+
if test -z "$cpmod"; then
cp -p "$i" $tmp 2>/dev/null || cp "$i" $tmp
if test -w $tmp 2>/dev/null; then
@@ -129,6 +129,7 @@
:
else
echo ${x}: $i probably not in gzexe format, file unchanged.
+ rm -f $tmp
res=1
continue
fi
diff -u gzip-1.3.2/znew.in gzip-1.3.2/znew.in
--- gzip-1.3.2/znew.in
+++ gzip-1.3.2/znew.in
@@ -14,29 +14,30 @@
# block is the disk block size (best guess, need not be exact)
warn="(does not preserve modes and timestamp)"
-tmp=/tmp/zfoo.$$
-set -C
-echo hi > $tmp.1 || exit 1
-echo hi > $tmp.2 || exit 1
-if test -z "`(${CPMOD-cpmod} $tmp.1 $tmp.2) 2>&1`"; then
- cpmod=${CPMOD-cpmod}
+cpmod=
+cpmodarg=
+if type ${CPMOD:-cpmod} 2>/dev/null; then
+ cpmod=${CPMOD:-cpmod}
warn=""
fi
-if test -z "$cpmod" && ${TOUCH-touch} -r $tmp.1 $tmp.2 2>/dev/null; then
- cpmod="${TOUCH-touch}"
+if test -z "$cpmod" && ${TOUCH:-touch} -r $tmp.1 $tmp.2 2>/dev/null; then
+ cpmod="${TOUCH:-touch}"
cpmodarg="-r"
warn="(does not preserve file modes)"
fi
# check if GZIP env. variable uses -S or --suffix
-gzip -q $tmp.1
-ext=`echo $tmp.1* | sed "s|$tmp.1||"`
-rm -f $tmp.[12]*
-if test -z "$ext"; then
- echo znew: error determining gzip extension
- exit 1
-fi
+case "$GZIP" in
+ *-S*) ext=`echo "$GZIP" | sed 's/^.*-S[[:space:]]*\([^[:space:]]*\).*$/\1/'`
+ ;;
+ *--suffix=*) ext=`echo "$GZIP" | sed 's/^.*--suffix=\([^[:space:]]*\).*$/\1/'`
+ ;;
+ *--suffix*) ext=`echo "$GZIP" | sed 's/^.*--suffix[[:space:]][[:space:]]*\([^[:space:]]*\).*$/\1/'`
+ ;;
+ *) ext='.gz'
+ ;;
+esac
if test "$ext" = ".Z"; then
echo znew: cannot use .Z as gzip extension.
exit 1
diff -u gzip-1.3.2/debian/changelog gzip-1.3.2/debian/changelog
--- gzip-1.3.2/debian/changelog
+++ gzip-1.3.2/debian/changelog
@@ -1,3 +1,11 @@
+gzip (1.3.2-3woody2) stable-security; urgency=high
+
+ * Non-maintainer upload by the Security Team
+ * Applied Trustix patch to correct insecure temporary file use in zdiff
+ and znew [zdiff.in, znew.in, CAN-2004-0970, Bugtraq Id 11288]
+
+ -- Martin Schulze <email address hidden> Sun, 31 Oct 2004 20:02:13 +0100
+
gzip (1.3.2-3woody1) stable-security; urgency=high
Message-ID: <email address hidden>
Date: Mon, 1 Nov 2004 14:20:09 +0100
From: Martin Schulze <email address hidden>
To: <email address hidden>
Subject: CAN-2004-0970: Insecure temporary files
--w5er4h4/Yf2qR8D9 Disposition: inline
Content-Type: text/plain; charset=iso-8859-1
Content-
Package: gzip
Version: 1.3.5-9
Severity: grave
Tags: sarge, sid, security, patch
Trustix developers discovered insecure temporary file creation in
supplemental scripts in the gzip package that can allows local users
to overwrite files via a symlink attack.
Please let me know which version fixes these problems in sid/sarge
while I take care of the package in woody.
I'm attaching the patch from Trustix and the patch I'm using for the
package in woody.
Regards,
Joey
--
This is GNU/Linux Country. On a quiet night, you can hear Windows reboot.
Please always Cc to me when replying to me on the lists.
--w5er4h4/Yf2qR8D9 Disposition: attachment; filename= "gzip-1. 2.4-tempfile. patch"
Content-Type: text/plain; charset=iso-8859-1
Content-
diff -ur gzip-1. 2.4a.orig/ gzexe.in gzip-1. 2.4a/gzexe. in 2.4a.orig/ gzexe.in 2004-09-13 11:14:21.000000000 +0200 2.4a/gzexe. in 2004-09-13 11:36:08.000000000 +0200
--- gzip-1.
+++ gzip-1.
@@ -13,7 +13,7 @@
# The : is required for some old versions of csh.
# On Ultrix, /bin/sh is too buggy, change the first line to: #!/bin/sh5
-x=`basename $0`
+x=`basename "$0"`
if test $# = 0; then
echo compress executables. original file foo is renamed to foo~
echo usage: ${x} [-d] files...
@@ -21,9 +21,6 @@
exit 1
fi
-tmp=gz$$
-trap "rm -f $tmp; exit 1" 1 2 3 5 10 13 15
-
decomp=0
res=0
test "$x" = "ungzexe" && decomp=1
@@ -32,12 +29,10 @@
shift
fi
-echo hi > zfoo1$$ {CPMOD- cpmod} {CPMOD: -cpmod}
-echo hi > zfoo2$$
-if test -z "`(${CPMOD-cpmod} zfoo1$$ zfoo2$$) 2>&1`"; then
- cpmod=$
+cpmod=
+if type ${CPMOD:-cpmod} 2>/dev/null; then
+ cpmod=$
fi
-rm -f zfoo[12]$$
tail="" 2.4a.orig/ zdiff.in gzip-1. 2.4a/zdiff. in 2.4a.orig/ zdiff.in 1993-08-17 00:32:16.000000000 +0200 2.4a/zdiff. in 2004-09-13 11:32:22.000000000 +0200
case "$2" in |;s|[-. ][zZtga] *||'`
STAT= "$?"
IFS="${IFS= }"; saveifs="$IFS"; IFS="${IFS}:"
@@ -75,9 +70,14 @@
continue
fi
case "`basename $i`" in
- gzip | tail | chmod | ln | sleep | rm)
+ bash | chmod | gzip | ln | mktemp | rm | sed | sh | tail)
echo "${x}: $i would depend on itself"; continue ;;
esac
+
+ tmp=`/bin/mktemp -t gzexe.XXXXXXXXXX` || exit 1
+ trap "rm -f $tmp; exit 1" HUP INT QUIT PIPE TERM
+ trap "rm -f $tmp; exit 0" EXIT
+
if test -z "$cpmod"; then
cp -p "$i" $tmp 2>/dev/null || cp "$i" $tmp
if test -w $tmp 2>/dev/null; then
@@ -128,6 +128,7 @@
:
else
echo ${x}: $i probably not in gzexe format, file unchanged.
+ rm -f $tmp
res=1
continue
fi
diff -ur gzip-1.
--- gzip-1.
+++ gzip-1.
@@ -47,10 +47,11 @@
*[-.]gz* | *[-.][zZ] | *.t[ga]z)
F=`echo "$2" | sed 's|.*/|
- gzip -cdfq "$2" > /tmp/"$F".$$
- gzip -cdfq "$1" | $comp $OPTIONS - /tmp/"$F".$$
+ TF="`/bin/mktemp -t "$F".XXXXXX`" || exit 1
+ gzip -cdfq "$2" > "$TF"
+ gzip -cdfq "$1" | $comp $OPTIONS - "$TF"
- /bin/rm -f /tmp/"$F".$$;;
+ /bin/rm -f "$TF";;
*) gzip -cdfq "$1" | $comp $OPTIONS - "$2"
STAT= "$?";; 2.4a.orig/ znew.in gzip-1.2.4a/znew.in 2.4a.orig/ znew.in 1993-06-23 10:00:25.000000000 +0200
diff -ur gzip-1.
--- gzip-1.
+++ gzip-1.2.4a/znew.in 2004-09-13 11:35:39.000000000 +0200
@@ -14,28 +14,30 @@
# block is the disk block size (best guess, need not be exact)
warn="(does not preserve modes and timestamp)" {CPMOD- cpmod} {CPMOD: -cpmod}
-tmp=/tmp/zfoo.$$
-echo hi > $tmp.1
-echo hi > $tmp.2
-if test -z "`(${CPMOD-cpmod} $tmp.1 $tmp.2) 2>&1`"; then
- cpmod=$
+cpmod=
+cpmodarg=
+if type ${CPMOD:-cpmod} 2>/dev/null; then
+ cpmod=$
warn=""
fi
-if test -z "$cpmod" && ${TOUCH-touch} -r $tmp.1 $tmp.2 2>/dev/null; then ${TOUCH- touch}"
- cpmod="
+if test -z "$cpmod"; then
+ cpmod=touch
cpmodarg="-r"
warn="(does not preserve file modes)"
fi
# check if GZIP env. variable uses -S or --suffix S[[:space: ]]*\([^ [:space: ]]*\).* $/\1/'` -suffix= \([^[:space: ]]*\).* $/\1/'` -suffix[ [:space: ]][[:space: ]]*\([^ [:space: ]]*\).* $/\1/'`
-gzip -q $tmp.1
-ext=`echo $tmp.1* | sed "s|$tmp.1||"`
-rm -f $tmp.[12]*
-if test -z "$ext"; then
- echo znew: error determining gzip extension
- exit 1
-fi
+case "$GZIP" in
+ *-S*) ext=`echo "$GZIP" | sed 's/^.*-
+ ;;
+ *--suffix=*) ext=`echo "$GZIP" | sed 's/^.*-
+ ;;
+ *--suffix*) ext=`echo "$GZIP" | sed 's/^.*-
+ ;;
+ *) ext='.gz'
+ ;;
+esac
if test "$ext" = ".Z"; then
echo znew: cannot use .Z as gzip extension.
exit 1
--w5er4h4/Yf2qR8D9 Disposition: attachment; filename= "patch. CAN-2004- 0970.gzip"
Content-Type: text/plain; charset=iso-8859-1
Content-
diff -u gzip-1.3.2/gzexe.in gzip-1.3.2/gzexe.in
--- gzip-1.3.2/gzexe.in
+++ gzip-1.3.2/gzexe.in
@@ -13,7 +13,7 @@
# The : is required for some old versions of csh.
# On Ultrix, /bin/sh is too buggy, change the first line to: #!/bin/sh5
-x=`basename $0`
+x=`basename "$0"`
if test $# = 0; then
echo compress executables. original file foo is renamed to foo~
echo usage: ${x} [-d] files...
@@ -21,9 +21,6 @@
exit 1
fi
-tmp=gz$$
-trap "rm -f $tmp; exit 1" 1 2 3 5 10 13 15
-
decomp=0
res=0
test "$x" = "ungzexe" && decomp=1
@@ -32,12 +29,10 @@
shift
fi
-echo hi > zfoo1$$ {CPMOD- cpmod} {CPMOD: -cpmod}
-echo hi > zfoo2$$
-if test -z "`(${CPMOD-cpmod} zfoo1$$ zfoo2$$) 2>&1`"; then
- cpmod=$
+cpmod=
+if type ${CPMOD:-cpmod} 2>/dev/null; then
+ cpmod=$
fi
-rm -f zfoo[12]$$
tail=""
IFS="${IFS= }"; saveifs="$IFS"; IFS="${IFS}:"
@@ -75,9 +70,14 @@
continue
fi
case "`basename $i`" in
- gzip | tail | chmod | ln | sleep | rm)
+ bash | chmod | gzip | ln | mktemp | rm | sed | sh | tail)
echo "${x}: $i would depend on itself"; continue ;;
esac
+
+ tmp=`/bin/mktemp -t gzexe.XXXXXXXXXX` || exit 1
+ trap "rm -f $tmp; exit 1" HUP INT QUIT PIPE TERM
+ trap "rm -f $tmp; exit 0" EXIT
+
if test -z "$cpmod"; then
cp -p "$i" $tmp 2>/dev/null || cp "$i" $tmp
if test -w $tmp 2>/dev/null; then
@@ -129,6 +129,7 @@
:
else
echo ${x}: $i probably not in gzexe format, file unchanged.
+ rm -f $tmp
res=1
continue
fi
diff -u gzip-1.3.2/znew.in gzip-1.3.2/znew.in
--- gzip-1.3.2/znew.in
+++ gzip-1.3.2/znew.in
@@ -14,29 +14,30 @@
# block is the disk block size (best guess, need not be exact)
warn="(does not preserve modes and timestamp)" {CPMOD- cpmod} {CPMOD: -cpmod}
-tmp=/tmp/zfoo.$$
-set -C
-echo hi > $tmp.1 || exit 1
-echo hi > $tmp.2 || exit 1
-if test -z "`(${CPMOD-cpmod} $tmp.1 $tmp.2) 2>&1`"; then
- cpmod=$
+cpmod=
+cpmodarg=
+if type ${CPMOD:-cpmod} 2>/dev/null; then
+ cpmod=$
warn=""
fi
-if test -z "$cpmod" && ${TOUCH-touch} -r $tmp.1 $tmp.2 2>/dev/null; then ${TOUCH- touch}" ${TOUCH: -touch} "
- cpmod="
+if test -z "$cpmod" && ${TOUCH:-touch} -r $tmp.1 $tmp.2 2>/dev/null; then
+ cpmod="
cpmodarg="-r"
warn="(does not preserve file modes)"
fi
# check if GZIP env. variable uses -S or --suffix S[[:space: ]]*\([^ [:space: ]]*\).* $/\1/'` -suffix= \([^[:space: ]]*\).* $/\1/'` -suffix[ [:space: ]][[:space: ]]*\([^ [:space: ]]*\).* $/\1/'` 3.2/debian/ changelog gzip-1. 3.2/debian/ changelog 3.2/debian/ changelog 3.2/debian/ changelog
-gzip -q $tmp.1
-ext=`echo $tmp.1* | sed "s|$tmp.1||"`
-rm -f $tmp.[12]*
-if test -z "$ext"; then
- echo znew: error determining gzip extension
- exit 1
-fi
+case "$GZIP" in
+ *-S*) ext=`echo "$GZIP" | sed 's/^.*-
+ ;;
+ *--suffix=*) ext=`echo "$GZIP" | sed 's/^.*-
+ ;;
+ *--suffix*) ext=`echo "$GZIP" | sed 's/^.*-
+ ;;
+ *) ext='.gz'
+ ;;
+esac
if test "$ext" = ".Z"; then
echo znew: cannot use .Z as gzip extension.
exit 1
diff -u gzip-1.
--- gzip-1.
+++ gzip-1.
@@ -1,3 +1,11 @@
+gzip (1.3.2-3woody2) stable-security; urgency=high
+
+ * Non-maintainer upload by the Security Team
+ * Applied Trustix patch to correct insecure temporary file use in zdiff
+ and znew [zdiff.in, znew.in, CAN-2004-0970, Bugtraq Id 11288]
+
+ -- Martin Schulze <email address hidden> Sun, 31 Oct 2004 20:02:13 +0100
+
gzip (1.3.2-3woody1) stable-security; urgency=high
* Non-maintainer upload by the Security Team 3.2.orig/ zdiff.in
case "$2" in |;s|[-. ][zZtga] *||'`
STAT= "$?"
only in patch2:
unchanged:
--- gzip-1.
+++ gzip-1.3.2/zdiff.in
@@ -46,12 +46,12 @@
*[-.]gz* | *[-.][zZ] | *.t[ga]z)
F=`echo "$2" | sed 's|.*/|
- set -C
- trap 'rm -f /tmp/"$F".$$; exit 2' 1 2 13 15 0
- gzip -cdfq "$2" > /tmp/"$F".$$ || exit
- gzip -cdfq "$1" | $comp $OPTIONS - /tmp/"$F".$$
+ TF="`/bin/mktemp -t "$F".XXXXXX`" || exit 1
+ trap "rm -f $TF; exit 2" 1 2 13 15 0
+ gzip -cdfq "$2" > "$TF" || exit
+ gzip -cdfq "$1" | $comp $OPTIONS - "$TF"
- /bin/rm -f /tmp/"$F".$$ || STAT=2
+ /bin/rm -f $TF || STAT=2
trap 1 2 13 15 0
exit $STAT;;
--w5er4h4/ Yf2qR8D9- -