Summary: | app-arch/{bzip2|gzip}: Race Condition Lets Local Users Modify Perms | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Jean-François Brunette (RETIRED) <formula7> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED WONTFIX | ||
Severity: | minor | CC: | jaervosz |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | All | ||
URL: | http://securitytracker.com/alerts/2005/Apr/1013629.html | ||
Whiteboard: | A4 [upstream] | ||
Package list: | Runtime testing required: | --- |
Description
Jean-François Brunette (RETIRED)
2005-04-03 08:37:14 UTC
This is not really severe, since it requires unpacking into a world-writeable, non-sticky-set directory, and knowing in advance which file will be unpacked with which permissions... not sure we should accept it. That said, "the re-application of the permissions to the extracted file could be done in a more secure fashion, namely by calling fchmod on the extracted file's descriptor instead of calling chmod on the path to the file." i dont mind fixing a minor bug like this but as you say, it doesnt seem worthy of a GLSA at this point ... also, upstream seems kind of dead with this package ... we've tried to contact them before about bugfixes and never had a response :( last release -> Jan 2002 gzip is affected by the same bug. That said, like Tavis said, chown is vulnerable to the same race condition, since the file can be switched with a hardlink by the time you run the command. I propose to resolve as WONTFIX. I vote WONTFIX as well. I agree, WONTFIX. Reopen if you disagree, we'll flame you and close it again :) |