[8f3d581] | 1 | Submitted By: Matthew Burgess (matthew at linuxfromscratch dot org)
|
---|
| 2 | Origin: http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.1.diff.gz
|
---|
| 3 | Date: 2005-05-12
|
---|
| 4 | Initial package version: 1.3.5
|
---|
| 5 | Description: Fix two security vulnerabilities in gzip: A path traversal
|
---|
| 6 | bug when using the -N option (CAN-2005-1228) and a race condition in the
|
---|
| 7 | file permission restore code (CAN-2005-0998).
|
---|
| 8 |
|
---|
| 9 | diff -Naur gzip-1.3.5.orig/gzip.c gzip-1.3.5/gzip.c
|
---|
| 10 | --- gzip-1.3.5.orig/gzip.c 2002-09-28 07:38:43.000000000 +0000
|
---|
| 11 | +++ gzip-1.3.5/gzip.c 2005-05-12 19:15:14.796031360 +0000
|
---|
| 12 | @@ -875,8 +875,11 @@
|
---|
| 13 | }
|
---|
| 14 |
|
---|
| 15 | close(ifd);
|
---|
| 16 | - if (!to_stdout && close(ofd)) {
|
---|
| 17 | - write_error();
|
---|
| 18 | + if (!to_stdout) {
|
---|
| 19 | + /* Copy modes, times, ownership, and remove the input file */
|
---|
| 20 | + copy_stat(&istat);
|
---|
| 21 | + if (close(ofd))
|
---|
| 22 | + write_error();
|
---|
| 23 | }
|
---|
| 24 | if (method == -1) {
|
---|
| 25 | if (!to_stdout) xunlink (ofname);
|
---|
| 26 | @@ -896,10 +899,6 @@
|
---|
| 27 | }
|
---|
| 28 | fprintf(stderr, "\n");
|
---|
| 29 | }
|
---|
| 30 | - /* Copy modes, times, ownership, and remove the input file */
|
---|
| 31 | - if (!to_stdout) {
|
---|
| 32 | - copy_stat(&istat);
|
---|
| 33 | - }
|
---|
| 34 | }
|
---|
| 35 |
|
---|
| 36 | /* ========================================================================
|
---|
| 37 | @@ -1324,6 +1323,8 @@
|
---|
| 38 | error("corrupted input -- file name too large");
|
---|
| 39 | }
|
---|
| 40 | }
|
---|
| 41 | + char *base2 = base_name (base);
|
---|
| 42 | + strcpy(base, base2);
|
---|
| 43 | /* If necessary, adapt the name to local OS conventions: */
|
---|
| 44 | if (!list) {
|
---|
| 45 | MAKE_LEGAL_NAME(base);
|
---|
| 46 | @@ -1725,7 +1726,7 @@
|
---|
| 47 | reset_times(ofname, ifstat);
|
---|
| 48 | #endif
|
---|
| 49 | /* Copy the protection modes */
|
---|
| 50 | - if (chmod(ofname, ifstat->st_mode & 07777)) {
|
---|
| 51 | + if (fchmod(ofd, ifstat->st_mode & 07777)) {
|
---|
| 52 | int e = errno;
|
---|
| 53 | WARN((stderr, "%s: ", progname));
|
---|
| 54 | if (!quiet) {
|
---|
| 55 | @@ -1734,7 +1735,7 @@
|
---|
| 56 | }
|
---|
| 57 | }
|
---|
| 58 | #ifndef NO_CHOWN
|
---|
| 59 | - chown(ofname, ifstat->st_uid, ifstat->st_gid); /* Copy ownership */
|
---|
| 60 | + fchown(ofd, ifstat->st_uid, ifstat->st_gid); /* Copy ownership */
|
---|
| 61 | #endif
|
---|
| 62 | remove_ofname = 0;
|
---|
| 63 | /* It's now safe to remove the input file: */
|
---|