Bug 68405 - app-arch/gzip: Insecure tmpfile use
Bug#: 68405 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: All Status: RESOLVED Severity: normal Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: koon@gentoo.org
Component: Vulnerabilities
URL:  http://www.trustix.org/errata/2004/0050
Summary: app-arch/gzip: Insecure tmpfile use
Keywords:  
Status Whiteboard: B3 [noglsa]
Opened: 2004-10-21 07:57 0000
Description:   Opened: 2004-10-21 07:57 0000 
CAN-2004-0970

The (1) gzexe, (2) zdiff, and (3) znew scripts in the gzip package in
Trustix Secure Linux 1.5 through 2.1, and possibly other operating
systems, allows local users to overwrite files via a symlink attack on
temporary files.

------- Comment #1 From Thierry Carrez (RETIRED) 2004-10-21 08:17:03 0000 ------- 
We use an unpatched zdiff that looks vulnerable :

---------------snip----------------
gzip -cdfq "$2" > /tmp/"$F".$$ || exit
---------------snip----------------

However there doesn't seem to be any patches out there for that one... Maybe lewk could find one ?

------- Comment #2 From Luke Macken (RETIRED) 2004-10-24 17:07:17 0000 ------- 
Created an attachment (id=42521) [details]
zdiff.in-tempfile.patch

Patch to fix tempfile vulnerabilities in zdiff.

------- Comment #3 From Luke Macken (RETIRED) 2004-10-24 17:10:12 0000 ------- 
base-system, please verify and apply patch.

------- Comment #4 From Thierry Carrez (RETIRED) 2004-10-25 04:50:12 0000 ------- 
Patch looks good to me...

------- Comment #5 From solar 2004-10-26 16:27:39 0000 ------- 
Old - gzip-1.3.5-r1
KEYWORDS="x86 ppc sparc mips alpha arm hppa amd64 ~ia64 ~ppc64 ~s390"

New - gzip-1.3.5-r2
KEYWORDS="~x86 ~ppc ~sparc ~mips ~alpha ~arm ~hppa ~amd64 ~ia64 ~ppc64 ~s390"

ppc64/ia64/s390 still have 1.3.3-r4 stable.

The changes are so minor that I would think the arches would prefer to have this 
go right into it's stable if it was stable on 1.3.5-r1. But for GLSA's and tools 
it's always best to rev bump.

Arch maintainers in the future what do you prefer when the changes are so tiny 
and dont effect the object code?
1) That you always be the one todo it.
2) That other I/we use our best judgement and save you a few mails & cpu cycles.

------- Comment #6 From solar 2004-10-26 16:28:44 0000 ------- 
Oh arch-maintainers please test and mark gzip-1.3.5-r2 as stable

------- Comment #7 From Gustavo Zacarias (RETIRED) 2004-10-26 17:00:10 0000 ------- 
sparc tasty.

------- Comment #8 From Travis Tilley (RETIRED) 2004-10-26 18:03:48 0000 ------- 
stable on amd64.

------- Comment #9 From Joe Jezak 2004-10-26 19:52:37 0000 ------- 
Tested and marked stable on ppc

------- Comment #10 From Bryan Østergaard (RETIRED) 2004-10-27 01:48:36 0000 ------- 
Stable on alpha.

------- Comment #11 From Hardave Riar (RETIRED) 2004-10-27 16:04:40 0000 ------- 
Stable on mips.

------- Comment #12 From Seemant Kulleen (RETIRED) 2004-10-27 16:56:48 0000 ------- 
stable on x86

------- Comment #13 From Thierry Carrez (RETIRED) 2004-10-28 00:30:06 0000 ------- 
Only zdiff is affected, so it's a B3 : security, please vote on GLSA need.

------- Comment #14 From SpanKY 2004-10-28 05:18:19 0000 ------- 
arm/hppa/ia64/s390 stable

------- Comment #15 From Kurt Lieber 2004-10-28 11:57:38 0000 ------- 
zdiff is fairly obscure...I'll go with no on this one.

------- Comment #16 From Luke Macken (RETIRED) 2004-10-28 12:03:10 0000 ------- 
Closing without GLSA.

------- Comment #17 From Tom Gall 2004-10-30 08:59:13 0000 ------- 
stable on ppc64