[69cde8d] | 1 | Submitted By: Matthew Burgess (matthew at linuxfromscratch dot org) |
---|
| 2 | Origin: http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.1.diff.gz |
---|
| 3 | Date: 2005-05-12 |
---|
| 4 | Initial package version: 1.3.5 |
---|
| 5 | Description: Fix two security vulnerabilities in gzip: A path traversal |
---|
| 6 | bug when using the -N option (CAN-2005-1228) and a race condition in the |
---|
| 7 | file permission restore code (CAN-2005-0998). |
---|
| 8 | |
---|
| 9 | diff -Naur gzip-1.3.5.orig/gzip.c gzip-1.3.5/gzip.c |
---|
| 10 | --- gzip-1.3.5.orig/gzip.c 2002-09-28 07:38:43.000000000 +0000 |
---|
| 11 | +++ gzip-1.3.5/gzip.c 2005-05-12 19:15:14.796031360 +0000 |
---|
| 12 | @@ -875,8 +875,11 @@ |
---|
| 13 | } |
---|
| 14 | |
---|
| 15 | close(ifd); |
---|
| 16 | - if (!to_stdout && close(ofd)) { |
---|
| 17 | - write_error(); |
---|
| 18 | + if (!to_stdout) { |
---|
| 19 | + /* Copy modes, times, ownership, and remove the input file */ |
---|
| 20 | + copy_stat(&istat); |
---|
| 21 | + if (close(ofd)) |
---|
| 22 | + write_error(); |
---|
| 23 | } |
---|
| 24 | if (method == -1) { |
---|
| 25 | if (!to_stdout) xunlink (ofname); |
---|
| 26 | @@ -896,10 +899,6 @@ |
---|
| 27 | } |
---|
| 28 | fprintf(stderr, "\n"); |
---|
| 29 | } |
---|
| 30 | - /* Copy modes, times, ownership, and remove the input file */ |
---|
| 31 | - if (!to_stdout) { |
---|
| 32 | - copy_stat(&istat); |
---|
| 33 | - } |
---|
| 34 | } |
---|
| 35 | |
---|
| 36 | /* ======================================================================== |
---|
| 37 | @@ -1324,6 +1323,8 @@ |
---|
| 38 | error("corrupted input -- file name too large"); |
---|
| 39 | } |
---|
| 40 | } |
---|
| 41 | + char *base2 = base_name (base); |
---|
| 42 | + strcpy(base, base2); |
---|
| 43 | /* If necessary, adapt the name to local OS conventions: */ |
---|
| 44 | if (!list) { |
---|
| 45 | MAKE_LEGAL_NAME(base); |
---|
| 46 | @@ -1725,7 +1726,7 @@ |
---|
| 47 | reset_times(ofname, ifstat); |
---|
| 48 | #endif |
---|
| 49 | /* Copy the protection modes */ |
---|
| 50 | - if (chmod(ofname, ifstat->st_mode & 07777)) { |
---|
| 51 | + if (fchmod(ofd, ifstat->st_mode & 07777)) { |
---|
| 52 | int e = errno; |
---|
| 53 | WARN((stderr, "%s: ", progname)); |
---|
| 54 | if (!quiet) { |
---|
| 55 | @@ -1734,7 +1735,7 @@ |
---|
| 56 | } |
---|
| 57 | } |
---|
| 58 | #ifndef NO_CHOWN |
---|
| 59 | - chown(ofname, ifstat->st_uid, ifstat->st_gid); /* Copy ownership */ |
---|
| 60 | + fchown(ofd, ifstat->st_uid, ifstat->st_gid); /* Copy ownership */ |
---|
| 61 | #endif |
---|
| 62 | remove_ofname = 0; |
---|
| 63 | /* It's now safe to remove the input file: */ |
---|