68405 2004-10-21 07:57 0000 app-arch/gzip: Insecure tmpfile use 2009-07-13 22:32:34 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All All RESOLVED FIXED http://www.trustix.org/errata/2004/0050 B3 [noglsa] P2 normal --- 1 koon@gentoo.org security@gentoo.org beejay@gentoo.org koon@gentoo.org 2004-10-21 07:57:23 0000 CAN-2004-0970 The (1) gzexe, (2) zdiff, and (3) znew scripts in the gzip package in Trustix Secure Linux 1.5 through 2.1, and possibly other operating systems, allows local users to overwrite files via a symlink attack on temporary files. koon@gentoo.org 2004-10-21 08:17:03 0000 We use an unpatched zdiff that looks vulnerable : ---------------snip---------------- gzip -cdfq "$2" > /tmp/"$F".$$ || exit ---------------snip---------------- However there doesn't seem to be any patches out there for that one... Maybe lewk could find one ? lewk@gentoo.org 2004-10-24 17:07:17 0000 Created an attachment (id=42521) zdiff.in-tempfile.patch Patch to fix tempfile vulnerabilities in zdiff. lewk@gentoo.org 2004-10-24 17:10:12 0000 base-system, please verify and apply patch. koon@gentoo.org 2004-10-25 04:50:12 0000 Patch looks good to me... solar@gentoo.org 2004-10-26 16:27:39 0000 Old - gzip-1.3.5-r1 KEYWORDS="x86 ppc sparc mips alpha arm hppa amd64 ~ia64 ~ppc64 ~s390" New - gzip-1.3.5-r2 KEYWORDS="~x86 ~ppc ~sparc ~mips ~alpha ~arm ~hppa ~amd64 ~ia64 ~ppc64 ~s390" ppc64/ia64/s390 still have 1.3.3-r4 stable. The changes are so minor that I would think the arches would prefer to have this go right into it's stable if it was stable on 1.3.5-r1. But for GLSA's and tools it's always best to rev bump. Arch maintainers in the future what do you prefer when the changes are so tiny and dont effect the object code? 1) That you always be the one todo it. 2) That other I/we use our best judgement and save you a few mails & cpu cycles. solar@gentoo.org 2004-10-26 16:28:44 0000 Oh arch-maintainers please test and mark gzip-1.3.5-r2 as stable gustavoz@gentoo.org 2004-10-26 17:00:10 0000 sparc tasty. lv@gentoo.org 2004-10-26 18:03:48 0000 stable on amd64. josejx@gentoo.org 2004-10-26 19:52:37 0000 Tested and marked stable on ppc kloeri@gentoo.org 2004-10-27 01:48:36 0000 Stable on alpha. hardave@gentoo.org 2004-10-27 16:04:40 0000 Stable on mips. seemant@gentoo.org 2004-10-27 16:56:48 0000 stable on x86 koon@gentoo.org 2004-10-28 00:30:06 0000 Only zdiff is affected, so it's a B3 : security, please vote on GLSA need. vapier@gentoo.org 2004-10-28 05:18:19 0000 arm/hppa/ia64/s390 stable klieber@gentoo.org 2004-10-28 11:57:38 0000 zdiff is fairly obscure...I'll go with no on this one. lewk@gentoo.org 2004-10-28 12:03:10 0000 Closing without GLSA. tgall@gentoo.org 2004-10-30 08:59:13 0000 stable on ppc64 42521 2004-10-24 17:07 0000 zdiff.in-tempfile.patch zdiff.in-tempfile.patch text/plain LS0tIGd6aXAtMS4zLjUvemRpZmYuaW4ub3JpZwkyMDA0LTEwLTI0IDE5OjUyOjE2Ljg3NTk4NzIw OCAtMDQwMAorKysgZ3ppcC0xLjMuNS96ZGlmZi5pbgkyMDA0LTEwLTI0IDIwOjAwOjI1LjY4NTY3 Njg0MCAtMDQwMApAQCAtMzUsNiArMzUsMTAgQEAKIAllY2hvICJVc2FnZTogJHByb2cgWyR7Y29t cH1fb3B0aW9uc10gZmlsZSBbZmlsZV0iCiAJZXhpdCAyCiBmaQordG1wPWB0ZW1wZmlsZSAtZCAv dG1wIC1wIGd6YCB8fCB7CisgICAgICBlY2hvICdjYW5ub3QgY3JlYXRlIGEgdGVtcG9yYXJ5IGZp bGUnID4mMgorICAgICAgZXhpdCAxCit9CiBzZXQgJEZJTEVTCiBpZiB0ZXN0ICQjIC1lcSAxOyB0 aGVuCiAJRklMRT1gZWNobyAiJDEiIHwgc2VkICdzL1stLl1belp0Z2FdKiQvLydgCkBAIC00Nywx MSArNTEsMTEgQEAKIAkgICAgICAgICpbLS5dZ3oqIHwgKlstLl1belpdIHwgKi50W2dhXXopCiAJ CQlGPWBlY2hvICIkMiIgfCBzZWQgJ3N8LiovfHw7c3xbLS5dW3padGdhXSp8fCdgCiAJCQlzZXQg LUMKLQkJCXRyYXAgJ3JtIC1mIC90bXAvIiRGIi4kJDsgZXhpdCAyJyBIVVAgSU5UIFBJUEUgVEVS TSAwCi0JCQlnemlwIC1jZGZxICIkMiIgPiAvdG1wLyIkRiIuJCQgfHwgZXhpdAotICAgICAgICAg ICAgICAgICAgICAgICBnemlwIC1jZGZxICIkMSIgfCAkY29tcCAkT1BUSU9OUyAtIC90bXAvIiRG Ii4kJAorCQkJdHJhcCAncm0gLWYgJHRtcDsgZXhpdCAyJyBIVVAgSU5UIFBJUEUgVEVSTSAwCisJ CQlnemlwIC1jZGZxICIkMiIgPiAkdG1wIHx8IGV4aXQKKwkJCWd6aXAgLWNkZnEgIiQxIiB8ICRj b21wICRPUFRJT05TIC0gJHRtcAogICAgICAgICAgICAgICAgICAgICAgICAgU1RBVD0iJD8iCi0J CQkvYmluL3JtIC1mIC90bXAvIiRGIi4kJCB8fCBTVEFUPTIKKwkJCS9iaW4vcm0gLWYgJHRtcCB8 fCBTVEFUPTIKIAkJCXRyYXAgLSBIVVAgSU5UIFBJUEUgVEVSTSAwCiAJCQlleGl0ICRTVEFUOzsK IAo=