Bug 155745

Summary: CAN-2005-0988 Race condition in gzip
Product: Red Hat Enterprise Linux 4 Reporter: Josh Bressers <bressers>
Component: gzipAssignee: Ivana Varekova <varekova>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: low Docs Contact:
Priority: medium    
Version: 4.0Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20050404,source=bugtraq,reported=20050404
Fixed In Version: RHSA-2005-357 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-06-13 12:12:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Proposed patch from Steve Grubb none

Description Josh Bressers 2005-04-22 18:18:09 UTC 
Race condition in gzip 1.2.4, 1.3.3, and earlier when decompressing a gzip
allows local users to modify permissions of arbitrary files via a hard link
attack on a file while it is being decompressed, whose permissions are changed
by gzip after the decompression is complete.

http://www.securityfocus.com/archive/1/394965
Comment 1 Josh Bressers 2005-04-22 18:21:03 UTC 
This issue should also affect RHEL2.1 and RHEL3.
Comment 2 Josh Bressers 2005-04-29 13:59:33 UTC 
Created attachment 113841 [details]
Proposed patch from Steve Grubb
Comment 3 Ivana Varekova 2005-05-03 09:46:47 UTC 
The new versions (gzip-1.3.3-11.rhel3, gzip-1.3.3-15.rhel4, gzip-1.3-17.rhel2)
released.
Ivana Varekova
Comment 4 Petter Reinholdtsen 2005-05-20 16:18:37 UTC 
This bug has been reported into Debian BTS too.  There, a different
patch is suggested to solve the problem.  The debian patch is a lot
shorter.  Have a look at <URL: http://bugs.debian.org/305255 >.
(Just mentioning it, to give you information about another approach.)
Comment 5 Petter Reinholdtsen 2005-05-20 16:58:33 UTC 
I was just confused.  The debian bug I posted is for CAN-2005-1228, and not
this bug.  The currect debian bug for CAN-2005-0988 is #303927.
Comment 6 Josh Bressers 2005-06-13 12:12:58 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-357.html
Comment 7 Derek T. Yarnell 2005-11-30 18:09:59 UTC 
This has to be re-opened.  This patch has produced a bug in gzip files over NFS.  The problem crops up 
with the fchmod hanging for a long time and pushing rpciod load through the roof.  Sometimes the gzip 
finishes and sometimes it doesn't.  I can produce the file that hangs the machine (1.2gig file, 
decompresses into 3gig file) please contact derek.edu.

I have tested this with the Suse unpatched version of this and since it closes the file first then runs chmod 
it does not hang indefinitely.