Bug 157696
| Summary: | Gzip vulnerabilities, CAN-2005-0758,0988,1228 | ||
|---|---|---|---|
| Product: | [Retired] Fedora Legacy | Reporter: | John Dalbec <jpdalbec> |
| Component: | gzip | Assignee: | Fedora Legacy Bugs <bugs> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | rhl7.3 | CC: | madhatter, mgerber, pekkas, sheltren |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| URL: | http://www.securitytracker.com/alerts/2005/May/1013928.html | ||
| Whiteboard: | 1, 2, rh73, rh90 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2005-08-10 23:50:23 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
John Dalbec
2005-05-13 20:54:47 UTC
The above is CAN-2005-0758. [see https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=121514] CAN-2005-0988 Race condition in gzip 1.2.4, 1.3.3, and earlier when decompressing a gzip allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by gzip after the decompression is complete. [see https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=155745] CAN-2005-1228 Directory traversal vulnerability in gunzip -N in gzip 1.2.4 through 1.3.5 allows remote attackers to write to arbitrary directories via a .. (dot dot) in the original filename within a compressed file. [see https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=156266] The above 3 problems should be in the RHEL release process now, but haven't come out yet, at least. gzip-1.3.3-12.rhel3.src.rpm from an advisory mentioned in comment #2 recompiles on RH7.3 without any changes (save a release tag). Results work too. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've created SRPMs using the patches from RHEL: RH 7.3: http://www.cs.ucsb.edu/~jeff/legacy/gzip-1.3.3-2.legacy.src.rpm 166e411f87dc2761d661bf1b08ba68a9c3444eaa gzip-1.3.3-2.legacy.src.rpm RH9: http://www.cs.ucsb.edu/~jeff/legacy/gzip-1.3.3-10.legacy.src.rpm 2da74c3c37963ea1465f72695a7df56ee0dae285 gzip-1.3.3-10.legacy.src.rpm FC1: http://www.cs.ucsb.edu/~jeff/legacy/gzip-1.3.3-12.legacy.src.rpm 6e3fea19f448ef72cb2edfb14e529f579512f08a gzip-1.3.3-12.legacy.src.rpm FC2: http://www.cs.ucsb.edu/~jeff/legacy/gzip-1.3.3-13.legacy.src.rpm b8b1cc4e2b9d5d5bcdcb76d813bc6d898879e422 gzip-1.3.3-13.legacy.src.rpm The patches are: gzip-1.3.3-zgrep-sed.patch gzip-1.3.3-gzip-perm.patch gzip-1.3.3-gunzip-dir.patch and should fix CAN 2005-0758, 2005-0988, and 2005-1228 respectively -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFC1aT9Ke7MLJjUbNMRApELAKCO4emY2flJBpp6lcaRAFFzZRFrZwCeODI9 T6567QHIeXlcPeORmC8xUQ8= =+vkT -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
QA w/ rpm-build-compare.sh:
- spec file changes good
- source integrity OK
- versioning could be changed later; I'd use
gzip-1.3.3-1.1.legacy.src.rpm, gzip-1.3.3-9.1.legacy.src.rpm, etc.
so that the number space is not exhausted.
- patches similar to RHEL3 in most accounts, HOWEVER I noted the following
difference:
- --- [legacy gzip-1.3.3-zgrep-sed.patch]
+++ [RHEL3 same patch]
10:33:53.000000000 +0300
@@ -21,7 +21,7 @@
elif test $with_filename -eq 0 && { test $# -eq 1 || test $no_filename -eq
1; }; then
$grep $opt "$pat"
else
- -+ i=${i//\\/\\\\}
++ i=${i//\\\\/\\\\}
+ i=${i//|/\\|}
+ i=${i//&/\\&}
+ i=`printf "%s" "$i" | tr '\n' ' '`
This difference seems substantial. Therefore I'd ask what did you use as a
source for these patches? If the zgrep-sed.patch was the same as in RHEL3,
I'd give all of these a PUBLISH.
2da74c3c37963ea1465f72695a7df56ee0dae285 gzip-1.3.3-10.legacy.src.rpm
6e3fea19f448ef72cb2edfb14e529f579512f08a gzip-1.3.3-12.legacy.src.rpm
b8b1cc4e2b9d5d5bcdcb76d813bc6d898879e422 gzip-1.3.3-13.legacy.src.rpm
166e411f87dc2761d661bf1b08ba68a9c3444eaa gzip-1.3.3-2.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQFC1hewGHbTkzxSL7QRAvCIAKCOFJc4Itr28cuCOx11pYB8g/lSIACgvuQR
BzT1aQpI9O+uVLVxddaihv8=
=aWLU
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 It is from the RHEL4 package... not sure why that would be different than RHEL3, but apparently it is. I've put updated packages here which have two changes: 1) version numbers are updated like you mentioned 2) now using rhel3 patch instead of rhel4 RH 7.3: http://www.cs.ucsb.edu/~jeff/legacy/gzip-1.3.3-1.1.legacy.src.rpm db921b8916975a1cce8aae68509f3db35c4c0ab2 gzip-1.3.3-1.1.legacy.src.rpm RH9: http://www.cs.ucsb.edu/~jeff/legacy/gzip-1.3.3-9.1.legacy.src.rpm 2b93f34a0c7cdd083aef2786a3245ade678e0c27 gzip-1.3.3-9.1.legacy.src.rpm FC1: http://www.cs.ucsb.edu/~jeff/legacy/gzip-1.3.3-11.1.legacy.src.rpm aef7a6eee33c512ead62a1cce9a238b99fed7297 gzip-1.3.3-11.1.legacy.src.rpm FC2: http://www.cs.ucsb.edu/~jeff/legacy/gzip-1.3.3-12.1.legacy.src.rpm 0095a8f25f80d4ff46508b2698acecd58a384bb0 gzip-1.3.3-12.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFC1maYKe7MLJjUbNMRAsmMAJ9cLDYuQaRBy6A7fRDyrsBDZRHtDQCgxlOP nu7SygIBikMARW69G4GXy1g= =Uyi2 -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA w/ rpm-build-compare.sh: - source integrity OK - spec file changes minimal - patches verified to match RHEL3 +PUBLISH RHL73, RHL9, FC1, FC2 aef7a6eee33c512ead62a1cce9a238b99fed7297 gzip-1.3.3-11.1.legacy.src.rpm db921b8916975a1cce8aae68509f3db35c4c0ab2 gzip-1.3.3-1.1.legacy.src.rpm 0095a8f25f80d4ff46508b2698acecd58a384bb0 gzip-1.3.3-12.1.legacy.src.rpm 2b93f34a0c7cdd083aef2786a3245ade678e0c27 gzip-1.3.3-9.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFC16unGHbTkzxSL7QRAvTKAJ47k9pKoJoBSTO9MJ5fmlUYRiHDPACgxBD/ x9+qDCRBvlUrLGDU2cPSwFE= =4aVT -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 e502c04eba525ffc028597d89a561234a5e4677a /var/cache/yum/fedora-legacy-testing/packages/gzip-1.3.3-9.1.legacy.i386.rpm installs OK. created a file of random data, gzip'ped it, renamed the .gz file, gunzip'ped it with -N, sha1sum is unchanged and original name restored. +VERIFY RH9 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFC3JzvePtvKV31zw4RAjLgAKCr0u35UznKNpc6WVKjHuB2mjQYmwCgqyq5 9l18yhl7vd/WwPX+cbSGW5c= =pEBM -----END PGP SIGNATURE----- I tested this on RHL73. The basic functionality is OK, but I noted the following difference w/ rpm-build-compare.sh: --rw-r--r-- root root 6411 /usr/share/info/gzip.info.gz +-rw-r--r-- root root 30 /usr/share/info/gzip.info.gz At install, there was also a message: $ rpm -Uvh gzip-1.3.3-1.1.legacy.i386.rpm Preparing... ########################################### [100%] 1:gzip ########################################### [100%] install-info: warning: no info dir entry in `/usr/share/info/gzip.info.gz' .. it appears that gzip.info page has been truncated for some reason, compared to the previous version as shipped by RH? As far as I can tell, this is a build system issue. I just ran an 'rpmbuild --rebuild' on the 7.3 src rpm from updates-testing and the info file is the right size in the resulting rpm. My guess would be a missing buildrequires: texinfo. You're absolutely right. I'm build new packages with texinfo buildrequires right now. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OK, I built some new packages with the texinfo buildrequires which should fix the problem with the info file. Only change is adding 'BuildRequires: texinfo' (and bumping the release number) RH7.3: 7d7d75996ab2d6a94835798ba09cd85139f3b7d6 gzip-1.3.3-1.2.legacy.src.rpm http://www.cs.ucsb.edu/~jeff/legacy/gzip-1.3.3-1.2.legacy.src.rpm RH9: 1e4c0dbc59ceb3d4290043ec6c15c4999524d6e9 gzip-1.3.3-9.2.legacy.src.rpm http://www.cs.ucsb.edu/~jeff/legacy/gzip-1.3.3-9.2.legacy.src.rpm FC1: e029a76e81be925bda92fab8bf2812f8d1d1757d gzip-1.3.3-11.2.legacy.src.rpm http://www.cs.ucsb.edu/~jeff/legacy/gzip-1.3.3-11.2.legacy.src.rpm FC2: 2d38445cc436a662fb7e6ccde3f6cf11d4a55155 gzip-1.3.3-12.2.legacy.src.rpm http://www.cs.ucsb.edu/~jeff/legacy/gzip-1.3.3-12.2.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFC3XskKe7MLJjUbNMRApgTAKCfY4xNvPsqNWpcL1Im0k549k7KFQCfSmOb sMV2LysuO4cLS9jHoWX8Cic= =jSKF -----END PGP SIGNATURE----- I think adding buildreqs can be added by Marc without new packages. In general, if this is about missing 'texinfo', this can be troublesome in general, as I'm pretty sure only a couple of packages which ship info pages have that dependency.. New packages have been put to updates-testing. I'd say this requires redoing the RHL9 verify vote. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 inasmuch as my verify was any use (did the issue impact functionality?), here it is again: 7960019da89fbdee222e71b7d9884e6dc9ed3056 gzip-1.3.3-9.2.legacy.i386.rpm installs OK. created a file of random data, gzip'ped it (verified the original file is gone), renamed the .gz file, gunzip'ped it with -N, sha1sum is unchanged and original name restored. +VERIFY RH9 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFC3dtyePtvKV31zw4RAgs8AJ9BibdGlxPPMtgerKTYe1hke8FO2ACfYzBV n14uejYsn38WRO1sAKnHMZw= =lMD6 -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Check w/ RHL73. Gzip and gunzip seem to work properly. Info page installs nicely this time. Seems to work as intended; +VERIFY RHL73 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFC3mvNGHbTkzxSL7QRAv6KAKC1Kl8uYECzhqkF/gJct9ZooguGUQCgynD5 5v0EXT0KOjjz0OlWEI0KeVc= =WLg2 -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 16a19e2142d83f1db86dbf5a9a5a0b4e35d50c92 gzip-1.3.3-1.2.legacy.i386.rpm It works and no problems with the info page. VERIFY +RHL73 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFC36cWCjsw+mN5avkRAosSAKDCOkWTIdlsqM0dev5TGt28xM+RxACaA193 TYp4z7WI+N7bvQuBPFw3bes= =2A3S -----END PGP SIGNATURE----- Timeout is two weeks. Timeout over. Packages were released. |