Bug 152857 - CAN-2004-0970 gzip temporary files issues
CAN-2004-0970 gzip temporary files issues
Status: CLOSED NOTABUG
Product: Fedora Legacy
Classification: Retired
Component: Package request (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
https://bugzilla.redhat.com/bugzilla/...
1, LEGACY, rh73, rh90
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-11-20 05:46 EST by Marc Deslauriers
Modified: 2008-05-01 11:38 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Lawrence 2005-03-30 18:29:53 EST
ustix has discovered temporary file bugs in gzexe, zdiff and znew
which could allow a local user to overwrite arbitrary files by
creating specially named symlinks.

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=139360
http://www.debian.org/security/2004/dsa-588



------- Additional Comments From rob.myers@gtri.gatech.edu 2004-11-29 11:53:45 ----

afaict, this does not apply to gzip-1.3.3-11 on fc1.  of course that does not
explain why redhat is looking at this issue for RHEL3 and RHEL4...  i guess i'll
keep an eye on any patches that they release.

can someone else confirm/deny this?



------- Additional Comments From siegert@sfu.ca 2005-01-07 11:12:44 ----

Created an attachment (id=962)
CAN-2004-0970 for gzip-1.3.3

This is the only part of the Debian patch that seems to apply to gzip-1.3.3 -
if at all.



------- Additional Comments From pekkas@netcore.fi 2005-02-15 07:17:37 ----

Hmm.  Red Hat has already included a hardened version of the script; from
changelogs:

* Fri Oct 26 2001 Trond Eivind Glomsr&#65533;d <teg@redhat.com> 1.3.0-16
- replace tempfile patches with improved ones solar@openwall.com
- Add less to the dependency chain - zless needs it

Can anyone check this out?  Maybe we can close this as NOTABUG.



------- Additional Comments From marcdeslauriers@videotron.ca 2005-03-05 20:11:20 ----

Yep. Confirmed. This was already fixed.






------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:29 -------

This bug previously known as bug 2292 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2292
Originally filed under the Fedora Legacy product and Package request component.

Attachments:
CAN-2004-0970 for gzip-1.3.3
https://bugzilla.fedora.us/attachment.cgi?action=view&id=962

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.


Note You need to log in before you can comment on or make changes to this bug.