Bug 158801 - bzip2 issues: CAN-2005-0953,0758,1260
bzip2 issues: CAN-2005-0953,0758,1260
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: bzip2 (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
LEGACY, rh73, rh9, 1, 2
: Security
: 157057 157058 157059 157060 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-05-25 16:48 EDT by Michal Jaegermann
Modified: 2007-04-18 13:26 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-11-14 19:54:24 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch included in RHEL 3 that's not in FC3. (369 bytes, patch)
2005-09-03 07:19 EDT, David Eisenstein
no flags Details | Diff
Test cases for the FC3 bzgrep versus the RHEL3 bzgrep (13.65 KB, application/x-gzip)
2005-09-04 00:47 EDT, David Eisenstein
no flags Details

  None (edit)
Description Michal Jaegermann 2005-05-25 16:48:31 EDT
Description of problem:

A recent update bzip2-1.0.2-13.FC3 fixes the two following problems:
  permission setting for decompressed files - bug #155742
  decompression bomb (DoS) - bug #157548

The same source rpm recompiles without any changes, save release string,
on rhl7.3, and by inference on other distros, and works fine.

Indirectly through libraries various other programs are affected.  You
can see these on your system by doing 'rpm -e --test bzip2-libs' but the
list includes rpm, gnome-core, gnome-vfs, kdelibs, nautilus, php.

A sample source rpm is avaialble as
ftp://ftp.harddata.com/pub/Legacy_srpms/bzip2-1.0.2-13.0.73.legacy.src.rpm
but the only thing changed in it is a releas identifier and a changelog
entry to mark a rebuild.
Comment 1 Michal Jaegermann 2005-06-16 15:37:33 EDT
Source rpm was updated to
ftp://ftp.harddata.com/pub/Legacy_srpms/bzip2-1.0.2-13.1.73.legacy.src.rpm
to track changes which showed in bzip2-1.0.2-13.FC3.1.  The only difference
is a "sanitized" substitution in bzgrep shell script done in the same way
as in gzip sources mentioned in https://rhn.redhat.com/errata/RHSA-2005-357.html
(cf. bug 157696). Curiously enough there are no FC3 updates for gzip so far.
Comment 2 David Eisenstein 2005-09-02 05:10:04 EDT
From RHSA-2005:474-01  <http://tinyurl.com/blt2r>

"A bug was found in the way bzgrep processes file names. If a user can be
tricked into running bzgrep on a file with a carefully crafted file name,
arbitrary commands could be executed as the user running bzgrep. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2005-0758 to this issue.

"A bug was found in the way bzip2 modifies file permissions during
decompression. If an attacker has write access to the directory into which
bzip2 is decompressing files, it is possible for them to modify permissions
on files owned by the user running bzip2 (CAN-2005-0953).

"A bug was found in the way bzip2 decompresses files. It is possible for an
attacker to create a specially crafted bzip2 file which will cause bzip2 to
cause a denial of service (by filling disk space) if decompressed by a
victim (CAN-2005-1260)."

According to this RHSA, these vulnerabilities are a low security impact.

Here are the relevant Red Hat Bugzilla items for RHEL:
Bug 159816 - CAN-2005-0758 bzgrep has security issue in sed usage
Bug 155742 - CAN-2005-0953 bzip2 race condition
Bug 157548 - CAN-2005-1260 bzip2 decompression bomb (DoS)

Michal, can you maybe add the two CAN-2005-{0758,1260} to the title?  (I
can't because I don't have proper Bugzilla permissions to make changes to
bugs I don't own.)

Also, what distro is your bzip2-1.0.2-13.1.73.legacy.src.rpm for?  RH7.3?
Does it include patches for all 3 CAN's?  (I suspect the answers to
these questions, having peeked into your .srpm, but it would be good to
have my suspicions affirmed.)

I plan to make packages for RH9, FC1, and FC2, though I don't know much
about FC2 at this time.  If I do something wrong, someone can chew me out
later.  :-)
Comment 3 Michal Jaegermann 2005-09-02 11:40:09 EDT
> From RHSA-2005:474-01  <http://tinyurl.com/blt2r>

Would you, please, refrain from sticking in such places references via tinyurl.
It helps if it is immediately clear to what you are pointing.

> Also, what distro is your bzip2-1.0.2-13.1.73.legacy.src.rpm for?  RH7.3?

Yes, RH7.3 but recompiling that elsewhere is a trivial exercise.

As I wrote - this package is tracking changes done in bzip2-1.0.2-13.FC3.1
from the current FC3 updates.  Regrettably there are no CAN numbers in
the Changelog for the later one although entries seem to indicate that all
three problems are actually covered.  There is nothing which would stop
somebody from re-checking that.
Comment 4 David Eisenstein 2005-09-03 07:19:22 EDT
Created attachment 118419 [details]
Patch included in RHEL 3 that's not in FC3.

> > From RHSA-2005:474-01  <http://tinyurl.com/blt2r>
> 
> Would you, please, refrain from sticking in such places references via
> tinyurl.  It helps if it is immediately clear to what you are pointing.

Sure.  I will try to avoid tinyurls from now on.  Didn't realize that they
were counter-productive.

> Regrettably there are no CAN numbers in the Changelog for the later one
> although entries seem to indicate that all three problems are actually
> covered.  There is nothing which would stop somebody from re-checking that.

True.  I have just now rechecked, and it indeed looks like the patches are
exactly for these three CAN numbers.  

Perhaps the most recent changelog could be changed thusly:

* Thu Jun 16 2005 Michal Jaegermann <michal@harddata.com>
- resynchronized for rhl7.3 with bzip2-1.0.2-13.FC3.1.src.rpm, #158801
									       
	  
* Wed Jun 08 2005 Jiri Ryska <jryska@redhat.com>
- fixed sed flaw in bzgrep   #159817, CAN-2005-0758
									       
	  
* Wed May 25 2005 Michal Jaegermann <michal@harddata.com>
- recompiled for rhl7.3  #158801
									       
	  
* Thu May 19 2005 Jiri Ryska <jryska@redhat.com>
- fixed permission setting for decompressed files #155742, CAN-2005-0953
- fixed decompression bomb (DoS) #157548,  CAN-2005-1260


Incidently, regarding the fixing of the sed flaw, there is a difference in
the patch file bzip2-1.0.2-bzgrep.patch between the RHEL 3 .src.rpm package
and the FC3 .src.rpm package, upon which your package was based.  I have
notified Red Hat of that discprepancy (Bug 159816 comment 2), as one version
of this patch may be incorrect.

There is another discrepancy also between the RHEL .src.rpm and the FC3 one.
The RHEL .src.rpm has an additional patch file -- "bzip2-1.0.2-tempfile.patch".

It is enclosed.  Is this an appropriate patch for the RH7.3 environment?
Comment 5 Michal Jaegermann 2005-09-03 10:32:48 EDT
AFAICT a patch version used in FC3 is correct.  The fragment in question
escapes backslashes used in a sed pattern few lines down of bzgrep script.
A version which uses 'j=${i//\\\\/\\\\}' will do that too but only if there
is a double backslash in $i.
Comment 6 David Eisenstein 2005-09-04 00:47:44 EDT
Created attachment 118434 [details]
Test cases for the FC3 bzgrep versus the RHEL3 bzgrep

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SHA1sum of the attachment:
09e992a0e6bb50fa7387f927041a50994b4555c8  test-cases.tar.gz

Did a little testing on bzgrep.  Test scripts are in the attached
"test-cases.tar.gz".  Just untar the tarball, go to the test-cases/ directory
and run:

  $ ./doit.sh

That will display the results of RHEL 3's bzgrep and FC3's bzgrep on two 
test files (one of which has an embedded backslash in its filename) and 
pipe the bzgrep results into less.

My take on this is that the RHEL 3 bzgrep patch is more correct than the
FC3 patch.  In the FC3-patched version of bzgrep, the `\f' in the file-
name gets converted into a form-feed (^L) in the display lines, but
in the RHEL 3 version, the `\f' displays as `\f'.

The bash interpretation of ${variable//<pattern>/<replacement>} is certainly
not as intuitive as one might wish!

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFDGntvxou1V/j9XZwRAo5pAJ9rv1IYXPQlCLyEZeIAvbOxZL4uVACgoozo
vVG9Vhmow55/TRUFZYcTQgU=
=My5q
-----END PGP SIGNATURE-----
Comment 7 David Eisenstein 2005-09-06 18:09:25 EDT
Package upgrade numbering proposal:

         Current packages:              New Packages:
         RH73:  bzip2-1.0.2-2           bzip2-1.0.2-2.2.73.legacy
         RH9:   bzip2-1.0.2-8           bzip2-1.0.2-8.1.90.legacy
         FC1:   bzip2-1.0.2-10          bzip2-1.0.2-10.1.fc1.legacy
         FC2:   bzip2-1.0.2-12.1        bzip2-1.0.2-12.2.fc2.legacy
        (FC3:   bzip2-1.0.2-13.FC3.1)

(per Jesse's RPM Versioning topic at
  <http://www.fedoraproject.org/wiki/Legacy/RPMVersioning>)

Sound okay?
Comment 8 David Eisenstein 2005-09-07 00:33:31 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated bzip2 packages to QA:

5d843a673e34f8383045441bd1aef708df66e260  bzip2-1.0.2-2.2.73.legacy.src.rpm
26dc1734fbe4b160cc5000b78c36eeec293c20ec  bzip2-1.0.2-8.1.90.legacy.src.rpm
d75b1602fa73f8976e0f3838a92ab4c4927e1056  bzip2-1.0.2-10.1.fc1.legacy.src.rpm
bc1f1c7fe7d2bafac57b9272d4f7c7c566f3da2f  bzip2-1.0.2-12.2.fc2.legacy.src.rpm

http://members.gtw.net/~deisenst/legacy/RH7.3/SRPMS/bzip2-1.0.2-2.2.73.legacy.src.rpm
http://members.gtw.net/~deisenst/legacy/RH9/SRPMS/bzip2-1.0.2-8.1.90.legacy.src.rpm
http://members.gtw.net/~deisenst/legacy/FC1/SRPMS/bzip2-1.0.2-10.1.fc1.legacy.src.rpm
http://members.gtw.net/~deisenst/legacy/FC2/SRPMS/bzip2-1.0.2-12.2.fc2.legacy.src.rpm

Changelogs:  
(nb:  I've munged email addresses here for spambots...  Full email addy's are
in srpms.)

RH73:

* Tue Sep 06 2005 David Eisenstein <deisenst@...> 1.0.2-2.2.73.legacy
- - changed the bzgrep patch to match RHEL 3's.  (per bug 158801#c6)
- - added tempfile patch so bzdiff/bzcmp creates tempfiles more securely
  (from RHEL 3).  Also added 2/24 & 3/30/05 changelog items.
- - added CVE and bugzilla bug numbers to next 4 changelog items.
- - renumbered release from "13.1.73.legacy" to "2.2.73.legacy" in keeping
  with FL package versioning scheme.

* Thu Jun 16 2005 Michal Jaegermann <michal@...>
- - resynchronized for rhl7.3 with bzip2-1.0.2-13.FC3.1.src.rpm, #158801

* Wed Jun 08 2005 Jiri Ryska <jryska@...>
- - fixed sed flaw in bzgrep   #159817, CAN-2005-0758

* Wed May 25 2005 Michal Jaegermann <michal@...>
- - recompiled for rhl7.3  #158801

* Thu May 19 2005 Jiri Ryska <jryska@...>
- - fixed permission setting for decompressed files #155742, CAN-2005-0953
- - fixed decompression bomb (DoS) #157548, CAN-2005-1260

* Wed Mar 30 2005 Jindrich Novy <jnovy@...> 1.0.2-11.EL3.1
- - update fixed temp creation patch from Jiri Ryska

* Thu Feb 24 2005 Jiri Ryska <jryska@...>
- - changed tmpfile creation in bzdiff/bzcmp

RH9:

* Tue Sep 06 2005 David Eisenstein <deisenst@...> 1.0.2-8.1.90.legacy
- - Recompiled for Red Hat 9.0.  #158801.   

* Tue Jun 07 2005 Jiri Ryska <jryska@...>
- - fixed sed flaw in bzgrep   #159817, CAN-2005-0758

* Thu May 19 2005 Jiri Ryska <jryska@...>
- - fixed permission setting for decompressed files #155742, CAN-2005-0953
- - fixed decompression bomb (DoS) #157548,  CAN-2005-1260

* Wed Mar 30 2005 Jindrich Novy <jnovy@...> 1.0.2-11.EL3.1
- - update fixed temp creation patch from Jiri Ryska

* Thu Feb 24 2005 Jiri Ryska <jryska@...>
- - changed tmpfile creation in bzdiff/bzcmp

FC1:

* Sat Sep 03 2005 David Eisenstein <deisenst@...> 1.0.2-10.1.fc1.legacy
- - Recompiled for Fedora Core 1.  #158801.   

...  rest same as RH9 above ...

FC2:

* Tue Sep 06 2005 David Eisenstein <deisenst@...> 1.0.2-12.2.fc2.legacy
- - Recompiled for Fedora Core 2.  #158801.   

...  rest same as RH9 above ...


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFDHm0Cxou1V/j9XZwRAuj4AKD+uyEGlNCLcwqIZC7JSOuYmp3WjgCfUIWn
0TTk9u4zB2KeGKeH5mNPQ6A=
=nmZ0
-----END PGP SIGNATURE-----
Comment 9 Pekka Savola 2005-09-15 01:56:24 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA w/ rpm-build-compare.sh:
 - patches verified to come from RHEL3.
 - source integrity good
 - spec file changes are NOT minimal.  FC3 updates appear to be
   backported to all the releases.  These include non-security/critical
   bugfixes, which could incur breakage.  Given that all the FC3 updates are
   also included in the previous versions, the versioning is a bit odd
   (I'd expect that the naming be like  bzip2-1.0.2-11.xxx for all the
   versions.)
 
   However, the numbering works so it doesn't cause any problem, and RHEL3
   updates include some backports as well, so I can assume they work --
   so I think these packages are "good enough".
 
+PUBLISH RHL73, RHL9, FC1, FC2
 
d75b1602fa73f8976e0f3838a92ab4c4927e1056  bzip2-1.0.2-10.1.fc1.legacy.src.rpm
bc1f1c7fe7d2bafac57b9272d4f7c7c566f3da2f  bzip2-1.0.2-12.2.fc2.legacy.src.rpm
5d843a673e34f8383045441bd1aef708df66e260  bzip2-1.0.2-2.2.73.legacy.src.rpm
26dc1734fbe4b160cc5000b78c36eeec293c20ec  bzip2-1.0.2-8.1.90.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFDKQ04GHbTkzxSL7QRAitlAJ9oRi4TYNgb/kkz4M85c6WyzYGKeACgmSAX
Xs5/1pdhcF5ZvCzmeXAF/7o=
=7SQn
-----END PGP SIGNATURE-----
Comment 10 David Eisenstein 2005-09-15 06:57:04 EDT
Thank you, Pekka.  To address your concerns:

(In reply to comment #9)
> <snip>
>  - spec file changes are NOT minimal.  FC3 updates appear to be
>    backported to all the releases.  These include non-security/critical
>    bugfixes, which could incur breakage.  

There were four patches added to the package.  

@@ -1,3 +1,7 @@
+./bzip2-1.0.2-bomb.patch: ASCII C program text
+./bzip2-1.0.2-bzgrep.patch: ASCII text
+./bzip2-1.0.2-chmod.patch: ASCII C program text
 ./bzip2-1.0.2-saneso.patch: ASCII make commands text
 ./bzip2-1.0.2.tar.gz: gzip compressed data, was "bzip2-1.0.2.tar", from Unix
+./bzip2-1.0.2-tempfile.patch: ASCII text
 ./bzip2.spec: ISO-8859 English text

Only one if the new patches appears to be non-security.

  1. bomb.patch   fixes CAN-2005-1260.
  2. bzgrep.patch fixes CAN-2005-0758.
  3. chmod.patch  fixes CAN-2005-0953.
  4. tempfile.patch fixes a bug that makes bzdiff unusable on at least
     FC1.  In the currently-released versions of bzip2 packages, bzdiff 
     attempts to call a program 'tempfile' which does not exist
     on my system.  However, 'mktemp' (which the patch specifies) is
     provided on all distros we cover, and is reputed to be a secure way
     of creating files in /tmp/.

>    Given that all the FC3 updates are
>    also included in the previous versions, the versioning is a bit odd
>    (I'd expect that the naming be like  bzip2-1.0.2-11.xxx for all the
>    versions.)

What names would you suggest?  These names can always be changed at build
time.  If you have better names, please spell them out so they can be
implemented.

Am not sure I understand how 
    <http://www.fedoraproject.org/wiki/Legacy/RPMVersioning>
fits in.

>    However, the numbering works so it doesn't cause any problem, and RHEL3
>    updates include some backports as well, so I can assume they work --
>    so I think these packages are "good enough".

Great!  

>  
> +PUBLISH RHL73, RHL9, FC1, FC2

Thanks, Pekka, for your publish vote.  :-)
Comment 11 Pekka Savola 2005-09-15 07:50:21 EDT
Sorry, you're right about the patches; I didn't look well enough. The spec file
changes the compilation options though.

Because all the packages are essentially a respin of the FC2 (FC3?) package
(i.e., we didn't do a minimal "backport"), I'd have thought the version numbers
would have been maybe something like:

bzip2-1.0.2-12.2.0.73.legacy.src.rpm
bzip2-1.0.2-12.2.0.90.legacy.src.rpm
bzip2-1.0.2-12.2.fc1.legacy.src.rpm
bzip2-1.0.2-12.2.fc2.legacy.src.rpm

.. this would have made it clearer that you've actually rebuilt a later version
on each of the older OS releases, not backported the patches.  But as either
approach works, I don't see a big problem.
Comment 12 Marc Deslauriers 2005-10-25 20:38:59 EDT
Packages were pushed to updates-testing.
Comment 13 Tom Yates 2005-10-26 03:39:40 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

36b3b8abb700fe93d14064ce22176ed59aef0b9b bzip2-1.0.2-8.1.90.legacy.i386.rpm
3ce61caa59d4c9a90e2412ebd5bae76500e4e462 bzip2-devel-1.0.2-8.1.90.legacy.i386.rpm
905c29052192f032dac84be0860013837b65f8d4 bzip2-libs-1.0.2-8.1.90.legacy.i386.rpm
installs OK.  can use bzip2 to unpack a kernel bz2 tarball, and to pack it
up again; sha1sum is unchanged.  bzgrep reports being able to find
CONFIG lines in the compressed tarball (sorry to use kernel files,
but those are about the only things i use bzip with).

+VERIFY RH9

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDXzMyePtvKV31zw4RAmWiAJ405pDQq+5scmoKbqVHzAhpPv4X5QCgzaL4
Hc+gt66hOLElx/agY3AgeKI=
=XDBO
-----END PGP SIGNATURE-----
Comment 14 Pekka Savola 2005-10-26 12:34:16 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA for RHL73; bzgrep, plus regular compress/decompress seems to work fine,
so looks good.  ++VERIFY RHL73
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFDX7BNGHbTkzxSL7QRAiXOAJ9ag+6trHAfTH78dbLw2AXF5aWQWQCfX9n+
qovo3xsMjPsolsEjWUl5FT8=
=PCY6
-----END PGP SIGNATURE-----


Timeout in two weeks.
Comment 15 Eric Jon Rostetter 2005-10-26 13:27:46 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
++VERIFY for RHL 7.3
++VERIFY for RHL 9
 
RHL 7.3 Packages:
2d0d5267210ceefd6e2ed80187c2f6e3d994e4a0  bzip2-1.0.2-2.2.73.legacy.i386.rpm
e661f6bf518498c375918577fc3414978a190d78  bzip2-devel-1.0.2-2.2.73.legacy.i386.rpm
0c1bd4a4472ca70183b104438db1a9ef98db4969  bzip2-libs-1.0.2-2.2.73.legacy.i386.rpm
 
RHL 9 Packages:
36b3b8abb700fe93d14064ce22176ed59aef0b9b  bzip2-1.0.2-8.1.90.legacy.i386.rpm
3ce61caa59d4c9a90e2412ebd5bae76500e4e462  bzip2-devel-1.0.2-8.1.90.legacy.i386.rpm
905c29052192f032dac84be0860013837b65f8d4  bzip2-libs-1.0.2-8.1.90.legacy.i386.rpm
 
SHA1 checksums all match test update advisory.  Signatures verify okay.
 
I installed all the packages on a RHL 7.3 machine and on a RHL 9 machine
without problem.  I used it to pack and unpack some .bz2 archives without
any problems.
 
Vote for release for RHL 9 and RHL 7.3.
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
 
iD8DBQFDX7xU4jZRbknHoPIRAgUjAJ0fQ6XVGWSx40mXbzKfvD9b1ccfqwCfYQbo
YEb3FzR53iDojz+dOXbfzn4=
=8Rym
-----END PGP SIGNATURE-----
Comment 16 Pekka Savola 2005-11-05 00:53:26 EST
*** Bug 157057 has been marked as a duplicate of this bug. ***
Comment 17 Pekka Savola 2005-11-05 00:54:28 EST
*** Bug 157058 has been marked as a duplicate of this bug. ***
Comment 18 Pekka Savola 2005-11-05 00:55:34 EST
*** Bug 157059 has been marked as a duplicate of this bug. ***
Comment 19 Pekka Savola 2005-11-05 00:55:58 EST
*** Bug 157060 has been marked as a duplicate of this bug. ***
Comment 20 Pekka Savola 2005-11-13 02:48:16 EST
Timed out.
Comment 21 Marc Deslauriers 2005-11-14 19:54:24 EST
Packages were released.

Note You need to log in before you can comment on or make changes to this bug.