87794 – app-arch/{bzip2|gzip}: Race Condition Lets Local Users Modify Perms

Bug 87794 - app-arch/{bzip2|gzip}: Race Condition Lets Local Users Modify Perms

Summary: app-arch/{bzip2|gzip}: Race Condition Lets Local Users Modify Perms

Status:	RESOLVED WONTFIX

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All All

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:	http://securitytracker.com/alerts/200...
Whiteboard:	A4 [upstream]
Keywords:

Duplicates (1):	92927 (view as bug list)
Depends on:
Blocks:

Reported:	2005-04-03 08:37 UTC by Jean-François Brunette (RETIRED)
Modified:	2005-05-17 08:06 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jean-François Brunette (RETIRED) gentoo-dev

2005-04-03 08:37:14 UTC

Version(s): 1.0.2 and prior versions
Description:  A file permission vulnerability was reported in bzip2. A local user can change the permissions of certain files on the target system.

A local user with write access to a directory that the target user is using bzip2 with to extract or compress a file can change the permissions on any file owned by the target user.

When extracting a file, the software applies the permissions of a compressed file to the uncompressed file. However, there is a time period between when the file handle for the uncompressed file is closed and the permissions are changed. A local user can exploit this race condition by replacing the decompressed file with a hardlink to another file on the target system during that time period. The hardlinked file's permissions will be changed to the permissions of the compressed bzip2 file.
Impact:  A local user can cause the permissions on files owned by the target user to be changed when the target user decompresses a file using bzip2.
Solution:  No vendor solution was available at the time of this entry.

As a workaround, the author of the report indicates that you can make sure that any directory that is being used by bzip2 to compress/decompress files is only writeable by the user or you can set the sticky bit on the directory's permissions.

Comment 1 Thierry Carrez (RETIRED) gentoo-dev

2005-04-03 09:08:43 UTC

This is not really severe, since it requires unpacking into a world-writeable, non-sticky-set directory, and knowing in advance which file will be unpacked with which permissions... not sure we should accept it.

That said, "the re-application of the permissions to the extracted file could be done in a more secure fashion, namely by calling fchmod on the extracted file's descriptor instead of calling chmod on the path to the file."

Comment 2 SpanKY gentoo-dev

2005-04-03 10:00:41 UTC

i dont mind fixing a minor bug like this but as you say, it doesnt seem worthy of a GLSA at this point ...

also, upstream seems kind of dead with this package ... we've tried to contact them before about bugfixes and never had a response :(

last release -> Jan 2002

Comment 3 Thierry Carrez (RETIRED) gentoo-dev

2005-04-05 10:40:05 UTC

gzip is affected by the same bug.
That said, like Tavis said, chown is vulnerable to the same race condition, since the file can be switched with a hardlink by the time you run the command.

I propose to resolve as WONTFIX.

Comment 4 Luke Macken (RETIRED) gentoo-dev

2005-04-05 10:44:14 UTC

I vote WONTFIX as well.

Comment 5 Tavis Ormandy (RETIRED) gentoo-dev

2005-04-05 10:59:25 UTC

I agree, WONTFIX.

Comment 6 Thierry Carrez (RETIRED) gentoo-dev

2005-04-05 11:35:12 UTC

Reopen if you disagree, we'll flame you and close it again :)

Comment 7 Tavis Ormandy (RETIRED) gentoo-dev

2005-05-17 08:06:54 UTC

*** Bug 92927 has been marked as a duplicate of this bug. ***