Submitted By: Matthew Burgess (matthew at linuxfromscratch dot org) Origin: http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.1.diff.gz Date: 2005-05-12 Initial package version: 1.3.5 Description: Fix two security vulnerabilities in gzip: A path traversal bug when using the -N option (CAN-2005-1228) and a race condition in the file permission restore code (CAN-2005-0998). diff -Naur gzip-1.3.5.orig/gzip.c gzip-1.3.5/gzip.c --- gzip-1.3.5.orig/gzip.c 2002-09-28 07:38:43.000000000 +0000 +++ gzip-1.3.5/gzip.c 2005-05-12 19:15:14.796031360 +0000 @@ -875,8 +875,11 @@ } close(ifd); - if (!to_stdout && close(ofd)) { - write_error(); + if (!to_stdout) { + /* Copy modes, times, ownership, and remove the input file */ + copy_stat(&istat); + if (close(ofd)) + write_error(); } if (method == -1) { if (!to_stdout) xunlink (ofname); @@ -896,10 +899,6 @@ } fprintf(stderr, "\n"); } - /* Copy modes, times, ownership, and remove the input file */ - if (!to_stdout) { - copy_stat(&istat); - } } /* ======================================================================== @@ -1324,6 +1323,8 @@ error("corrupted input -- file name too large"); } } + char *base2 = base_name (base); + strcpy(base, base2); /* If necessary, adapt the name to local OS conventions: */ if (!list) { MAKE_LEGAL_NAME(base); @@ -1725,7 +1726,7 @@ reset_times(ofname, ifstat); #endif /* Copy the protection modes */ - if (chmod(ofname, ifstat->st_mode & 07777)) { + if (fchmod(ofd, ifstat->st_mode & 07777)) { int e = errno; WARN((stderr, "%s: ", progname)); if (!quiet) { @@ -1734,7 +1735,7 @@ } } #ifndef NO_CHOWN - chown(ofname, ifstat->st_uid, ifstat->st_gid); /* Copy ownership */ + fchown(ofd, ifstat->st_uid, ifstat->st_gid); /* Copy ownership */ #endif remove_ofname = 0; /* It's now safe to remove the input file: */