| [69cde8d] | 1 | Submitted By: Matthew Burgess (matthew at linuxfromscratch dot org) |
|---|
| 2 | Origin: http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.1.diff.gz |
|---|
| 3 | Date: 2005-05-12 |
|---|
| 4 | Initial package version: 1.3.5 |
|---|
| 5 | Description: Fix two security vulnerabilities in gzip: A path traversal |
|---|
| 6 | bug when using the -N option (CAN-2005-1228) and a race condition in the |
|---|
| 7 | file permission restore code (CAN-2005-0998). |
|---|
| 8 | |
|---|
| 9 | diff -Naur gzip-1.3.5.orig/gzip.c gzip-1.3.5/gzip.c |
|---|
| 10 | --- gzip-1.3.5.orig/gzip.c 2002-09-28 07:38:43.000000000 +0000 |
|---|
| 11 | +++ gzip-1.3.5/gzip.c 2005-05-12 19:15:14.796031360 +0000 |
|---|
| 12 | @@ -875,8 +875,11 @@ |
|---|
| 13 | } |
|---|
| 14 | |
|---|
| 15 | close(ifd); |
|---|
| 16 | - if (!to_stdout && close(ofd)) { |
|---|
| 17 | - write_error(); |
|---|
| 18 | + if (!to_stdout) { |
|---|
| 19 | + /* Copy modes, times, ownership, and remove the input file */ |
|---|
| 20 | + copy_stat(&istat); |
|---|
| 21 | + if (close(ofd)) |
|---|
| 22 | + write_error(); |
|---|
| 23 | } |
|---|
| 24 | if (method == -1) { |
|---|
| 25 | if (!to_stdout) xunlink (ofname); |
|---|
| 26 | @@ -896,10 +899,6 @@ |
|---|
| 27 | } |
|---|
| 28 | fprintf(stderr, "\n"); |
|---|
| 29 | } |
|---|
| 30 | - /* Copy modes, times, ownership, and remove the input file */ |
|---|
| 31 | - if (!to_stdout) { |
|---|
| 32 | - copy_stat(&istat); |
|---|
| 33 | - } |
|---|
| 34 | } |
|---|
| 35 | |
|---|
| 36 | /* ======================================================================== |
|---|
| 37 | @@ -1324,6 +1323,8 @@ |
|---|
| 38 | error("corrupted input -- file name too large"); |
|---|
| 39 | } |
|---|
| 40 | } |
|---|
| 41 | + char *base2 = base_name (base); |
|---|
| 42 | + strcpy(base, base2); |
|---|
| 43 | /* If necessary, adapt the name to local OS conventions: */ |
|---|
| 44 | if (!list) { |
|---|
| 45 | MAKE_LEGAL_NAME(base); |
|---|
| 46 | @@ -1725,7 +1726,7 @@ |
|---|
| 47 | reset_times(ofname, ifstat); |
|---|
| 48 | #endif |
|---|
| 49 | /* Copy the protection modes */ |
|---|
| 50 | - if (chmod(ofname, ifstat->st_mode & 07777)) { |
|---|
| 51 | + if (fchmod(ofd, ifstat->st_mode & 07777)) { |
|---|
| 52 | int e = errno; |
|---|
| 53 | WARN((stderr, "%s: ", progname)); |
|---|
| 54 | if (!quiet) { |
|---|
| 55 | @@ -1734,7 +1735,7 @@ |
|---|
| 56 | } |
|---|
| 57 | } |
|---|
| 58 | #ifndef NO_CHOWN |
|---|
| 59 | - chown(ofname, ifstat->st_uid, ifstat->st_gid); /* Copy ownership */ |
|---|
| 60 | + fchown(ofd, ifstat->st_uid, ifstat->st_gid); /* Copy ownership */ |
|---|
| 61 | #endif |
|---|
| 62 | remove_ofname = 0; |
|---|
| 63 | /* It's now safe to remove the input file: */ |
|---|
