Bug 70277 - zdiff bug in gzip-1.3.5-r2
|
Bug#:
70277
|
Product: Gentoo Linux
|
Version: unspecified
|
Platform: x86
|
|
OS/Version: Linux
|
Status: CLOSED
|
Severity: normal
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: base-system@gentoo.org
|
Reported By: mi-gentoo@moensolutions.com
|
|
Component: Ebuilds
|
|
|
URL:
|
|
Summary: zdiff bug in gzip-1.3.5-r2
|
|
Keywords:
|
|
Status Whiteboard:
|
|
Opened: 2004-11-06 09:48 0000
|
When trying to use zdiff on 2 gzipped files (works fine when only one file is
gzipped) you get the following error:
/bin/zdiff: line 54: /tmp/gzcuA0AB: cannot overwrite existing file
Possibly related to bug #68405
uname -a
Linux xxxx 2.4.25_pre7-gss-r2 #2 SMP Tue Mar 2 06:45:59 PST 2004 i686 AMD
Athlon(tm) MP 2400+ AuthenticAMD GNU/Linux
gzip-r4 in the tree. No patch for this. Remains problem (security bug?)
hi,
i guess, the problem is here:
line 37:
tmp=`tempfile -d /tmp -p gz` || {
...
this actually _creates_ a temporary file...
and this behaviour of tempfile is the reason, why
line 53:
gzip -cdfq "$2" > $tmp || exit
(correctly) refuses to extract to an existing file...
solution:
one could unlink the tempfile after creating it with tempfile
note, that this solution would introduce (theoretically) a race condition...
(an attacker knows the tempfilename after unlinking and _before_ actually writing to that file)
as gzip refuses to extract, if the file already exists, i guess this would be a
good solution anyways...
further comments?
best regards
florian
Still does not work when comparing 2 gzipped files.
zdiff mysql-2004-11-13-170003.sql.gz mysql-2004-12-08-140005.sql.gz
/bin/zdiff: line 51: /tmp/mysql2004-12-08-140005.sql.gz.52jbkt: cannot overwrite existing file
And now that gzip-1.3.5-r1 has been removed from the tree I don't have a working version of gzip.
Confirmed fixed in gzip-1.3.5-r5
