Bug 911556 (CVE-2013-0296)

Summary: CVE-2013-0296 pigz: Temporary archive representation created with insecure permissions
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: adel.gadllah, bkabrda, ccoleman, dmcphers, jialiu, lmeyer, mmcgrath, orion
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-21 23:41:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 911557, 911558    
Bug Blocks: 767033    

Description Jan Lieskovsky 2013-02-15 11:00:57 UTC 
A security flaw was found in the way pigz, a parallel implementation of gzip, created temporary files to (temporary) store / represent 'to be compressed archive content' (the files were created with world readable permissions). A local attacker could use this flaw to obtain sensitive information (archive content).

References:
[1] http://www.openwall.com/lists/oss-security/2013/02/15/4
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700608
Comment 1 Jan Lieskovsky 2013-02-15 11:03:23 UTC 
Further issue details from [1]:
-------------------------------
When asked to compress a file with restricted permissions (like
mode 0600), the .gz file pigz creates while doing this has
usual mode derived from umask (like 0644).  If the file is
large enough (and why we would use pigz instead of gzip for
small files), this results in the original content being
readable for everyone until the compression finishes.

Here's the deal:

$ fallocate -l 1G foo
$ chmod 0600 foo
$ pigz foo &
$ ls -l foo foo.gz
-rw------- 1 mjt mjt 1073741824 Feb 15 12:27 foo
-rw-rw-r-- 1 mjt mjt     502516 Feb 15 12:27 foo.gz

When it finishes, it correctly applies original file permissions
to the newly created file, but it is already waaay too late.
Comment 2 Jan Lieskovsky 2013-02-15 11:04:28 UTC 
Created pigz tracking bugs for this issue

Affects: fedora-all [bug 911557]
Affects: epel-all [bug 911558]
Comment 3 Jan Lieskovsky 2013-02-16 11:42:47 UTC 
The CVE identifier of CVE-2013-0296 has been assigned to this issue:
  http://www.openwall.com/lists/oss-security/2013/02/16/3
Comment 4 Adel Gadllah 2013-02-16 12:16:54 UTC 
Please don't copy random bugs from other bug trackers without any attempt to verify that it even applies to fedora / epel.

The bug you mention has been long been fixed in pigz-2.2.5 [1] 

And we have been shipping this version since August 2012.

1: http://mail.zlib.net/pipermail/pigz-announce_zlib.net/2012-July/000006.html
Comment 5 Jan Lieskovsky 2013-02-16 12:24:16 UTC 
(In reply to comment #4)

Adel, please don't change state on main CVE security bug (it is not just for Fedora and Fedora EPEL products).

> Please don't copy random bugs from other bug trackers without any attempt to
> verify that it even applies to fedora / epel.
> 
> The bug you mention has been long been fixed in pigz-2.2.5 [1] 
> 
> And we have been shipping this version since August 2012.
> 
> 1:
> http://mail.zlib.net/pipermail/pigz-announce_zlib.net/2012-July/000006.html

You are correct. Issue is fixed in pigz versions, as shipped with Fedora EPEL 5, Fedora EPEL 6, and Fedora 18. But not (yet) with Fedora 17. Please schedule that update.
Comment 6 Adel Gadllah 2013-02-16 12:25:27 UTC 
(In reply to comment #5)
> (In reply to comment #4)
> 
> Adel, please don't change state on main CVE security bug (it is not just for
> Fedora and Fedora EPEL products).
> 
> > Please don't copy random bugs from other bug trackers without any attempt to
> > verify that it even applies to fedora / epel.
> > 
> > The bug you mention has been long been fixed in pigz-2.2.5 [1] 
> > 
> > And we have been shipping this version since August 2012.
> > 
> > 1:
> > http://mail.zlib.net/pipermail/pigz-announce_zlib.net/2012-July/000006.html
> 
> You are correct. Issue is fixed in pigz versions, as shipped with Fedora
> EPEL 5, Fedora EPEL 6, and Fedora 18. But not (yet) with Fedora 17. Please
> schedule that update.

Oh indeed no idea why I didn't update F17 back then my bad will update ASAP.
Comment 7 Jan Lieskovsky 2013-02-16 12:33:33 UTC 
(In reply to comment #6)
> (In reply to comment #5)
> > (In reply to comment #4)
> > 
> > Adel, please don't change state on main CVE security bug (it is not just for
> > Fedora and Fedora EPEL products).
> > 
> > > Please don't copy random bugs from other bug trackers without any attempt to
> > > verify that it even applies to fedora / epel.
> > > 
> > > The bug you mention has been long been fixed in pigz-2.2.5 [1] 
> > > 
> > > And we have been shipping this version since August 2012.
> > > 
> > > 1:
> > > http://mail.zlib.net/pipermail/pigz-announce_zlib.net/2012-July/000006.html
> > 
> > You are correct. Issue is fixed in pigz versions, as shipped with Fedora
> > EPEL 5, Fedora EPEL 6, and Fedora 18. But not (yet) with Fedora 17. Please
> > schedule that update.
> 
> Oh indeed no idea why I didn't update F17 back then my bad will update ASAP.

Thank you. I am going to open fedora-all one to let it get closed by Bodhi (when the update is done and package pushed).

Thanks for the help.
Comment 8 Fedora Update System 2013-02-26 02:46:16 UTC 
pigz-2.2.5-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.