Bug 152857

Summary: CAN-2004-0970 gzip temporary files issues
Product: [Retired] Fedora Legacy Reporter: Marc Deslauriers <marc.deslauriers>
Component: Package requestAssignee: Fedora Legacy Bugs <bugs>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: pekkas, rob.myers
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=139360
Whiteboard: 1, LEGACY, rh73, rh90
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Lawrence 2005-03-30 23:29:53 UTC 
ustix has discovered temporary file bugs in gzexe, zdiff and znew
which could allow a local user to overwrite arbitrary files by
creating specially named symlinks.

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=139360
http://www.debian.org/security/2004/dsa-588



------- Additional Comments From rob.myers.edu 2004-11-29 11:53:45 ----

afaict, this does not apply to gzip-1.3.3-11 on fc1.  of course that does not
explain why redhat is looking at this issue for RHEL3 and RHEL4...  i guess i'll
keep an eye on any patches that they release.

can someone else confirm/deny this?



------- Additional Comments From siegert 2005-01-07 11:12:44 ----

Created an attachment (id=962)
CAN-2004-0970 for gzip-1.3.3

This is the only part of the Debian patch that seems to apply to gzip-1.3.3 -
if at all.



------- Additional Comments From pekkas 2005-02-15 07:17:37 ----

Hmm.  Red Hat has already included a hardened version of the script; from
changelogs:

* Fri Oct 26 2001 Trond Eivind Glomsr&#65533;d <teg> 1.3.0-16
- replace tempfile patches with improved ones solar
- Add less to the dependency chain - zless needs it

Can anyone check this out?  Maybe we can close this as NOTABUG.



------- Additional Comments From marcdeslauriers 2005-03-05 20:11:20 ----

Yep. Confirmed. This was already fixed.






------- Bug moved to this database by dkl 2005-03-30 18:29 -------

This bug previously known as bug 2292 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2292
Originally filed under the Fedora Legacy product and Package request component.

Attachments:
CAN-2004-0970 for gzip-1.3.3
https://bugzilla.fedora.us/attachment.cgi?action=view&id=962

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.