Bug 158801
| Summary: | bzip2 issues: CAN-2005-0953,0758,1260 | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Retired] Fedora Legacy | Reporter: | Michal Jaegermann <michal> | ||||||
| Component: | bzip2 | Assignee: | Fedora Legacy Bugs <bugs> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | |||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | medium | ||||||||
| Version: | unspecified | CC: | deisenst, dom, pekkas | ||||||
| Target Milestone: | --- | Keywords: | Security | ||||||
| Target Release: | --- | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | LEGACY, rh73, rh9, 1, 2 | ||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2005-11-15 00:54:24 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
|
Description
Michal Jaegermann
2005-05-25 20:48:31 UTC
Source rpm was updated to ftp://ftp.harddata.com/pub/Legacy_srpms/bzip2-1.0.2-13.1.73.legacy.src.rpm to track changes which showed in bzip2-1.0.2-13.FC3.1. The only difference is a "sanitized" substitution in bzgrep shell script done in the same way as in gzip sources mentioned in https://rhn.redhat.com/errata/RHSA-2005-357.html (cf. bug 157696). Curiously enough there are no FC3 updates for gzip so far. From RHSA-2005:474-01 <http://tinyurl.com/blt2r> "A bug was found in the way bzgrep processes file names. If a user can be tricked into running bzgrep on a file with a carefully crafted file name, arbitrary commands could be executed as the user running bzgrep. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0758 to this issue. "A bug was found in the way bzip2 modifies file permissions during decompression. If an attacker has write access to the directory into which bzip2 is decompressing files, it is possible for them to modify permissions on files owned by the user running bzip2 (CAN-2005-0953). "A bug was found in the way bzip2 decompresses files. It is possible for an attacker to create a specially crafted bzip2 file which will cause bzip2 to cause a denial of service (by filling disk space) if decompressed by a victim (CAN-2005-1260)." According to this RHSA, these vulnerabilities are a low security impact. Here are the relevant Red Hat Bugzilla items for RHEL: Bug 159816 - CAN-2005-0758 bzgrep has security issue in sed usage Bug 155742 - CAN-2005-0953 bzip2 race condition Bug 157548 - CAN-2005-1260 bzip2 decompression bomb (DoS) Michal, can you maybe add the two CAN-2005-{0758,1260} to the title? (I can't because I don't have proper Bugzilla permissions to make changes to bugs I don't own.) Also, what distro is your bzip2-1.0.2-13.1.73.legacy.src.rpm for? RH7.3? Does it include patches for all 3 CAN's? (I suspect the answers to these questions, having peeked into your .srpm, but it would be good to have my suspicions affirmed.) I plan to make packages for RH9, FC1, and FC2, though I don't know much about FC2 at this time. If I do something wrong, someone can chew me out later. :-) > From RHSA-2005:474-01 <http://tinyurl.com/blt2r> Would you, please, refrain from sticking in such places references via tinyurl. It helps if it is immediately clear to what you are pointing. > Also, what distro is your bzip2-1.0.2-13.1.73.legacy.src.rpm for? RH7.3? Yes, RH7.3 but recompiling that elsewhere is a trivial exercise. As I wrote - this package is tracking changes done in bzip2-1.0.2-13.FC3.1 from the current FC3 updates. Regrettably there are no CAN numbers in the Changelog for the later one although entries seem to indicate that all three problems are actually covered. There is nothing which would stop somebody from re-checking that. Created attachment 118419 [details] Patch included in RHEL 3 that's not in FC3. > > From RHSA-2005:474-01 <http://tinyurl.com/blt2r> > > Would you, please, refrain from sticking in such places references via > tinyurl. It helps if it is immediately clear to what you are pointing. Sure. I will try to avoid tinyurls from now on. Didn't realize that they were counter-productive. > Regrettably there are no CAN numbers in the Changelog for the later one > although entries seem to indicate that all three problems are actually > covered. There is nothing which would stop somebody from re-checking that. True. I have just now rechecked, and it indeed looks like the patches are exactly for these three CAN numbers. Perhaps the most recent changelog could be changed thusly: * Thu Jun 16 2005 Michal Jaegermann <michal> - resynchronized for rhl7.3 with bzip2-1.0.2-13.FC3.1.src.rpm, #158801 * Wed Jun 08 2005 Jiri Ryska <jryska> - fixed sed flaw in bzgrep #159817, CAN-2005-0758 * Wed May 25 2005 Michal Jaegermann <michal> - recompiled for rhl7.3 #158801 * Thu May 19 2005 Jiri Ryska <jryska> - fixed permission setting for decompressed files #155742, CAN-2005-0953 - fixed decompression bomb (DoS) #157548, CAN-2005-1260 Incidently, regarding the fixing of the sed flaw, there is a difference in the patch file bzip2-1.0.2-bzgrep.patch between the RHEL 3 .src.rpm package and the FC3 .src.rpm package, upon which your package was based. I have notified Red Hat of that discprepancy (Bug 159816 comment 2), as one version of this patch may be incorrect. There is another discrepancy also between the RHEL .src.rpm and the FC3 one. The RHEL .src.rpm has an additional patch file -- "bzip2-1.0.2-tempfile.patch". It is enclosed. Is this an appropriate patch for the RH7.3 environment? AFAICT a patch version used in FC3 is correct. The fragment in question
escapes backslashes used in a sed pattern few lines down of bzgrep script.
A version which uses 'j=${i//\\\\/\\\\}' will do that too but only if there
is a double backslash in $i.
Created attachment 118434 [details]
Test cases for the FC3 bzgrep versus the RHEL3 bzgrep
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SHA1sum of the attachment:
09e992a0e6bb50fa7387f927041a50994b4555c8 test-cases.tar.gz
Did a little testing on bzgrep. Test scripts are in the attached
"test-cases.tar.gz". Just untar the tarball, go to the test-cases/ directory
and run:
$ ./doit.sh
That will display the results of RHEL 3's bzgrep and FC3's bzgrep on two
test files (one of which has an embedded backslash in its filename) and
pipe the bzgrep results into less.
My take on this is that the RHEL 3 bzgrep patch is more correct than the
FC3 patch. In the FC3-patched version of bzgrep, the `\f' in the file-
name gets converted into a form-feed (^L) in the display lines, but
in the RHEL 3 version, the `\f' displays as `\f'.
The bash interpretation of ${variable//<pattern>/<replacement>} is certainly
not as intuitive as one might wish!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQFDGntvxou1V/j9XZwRAo5pAJ9rv1IYXPQlCLyEZeIAvbOxZL4uVACgoozo
vVG9Vhmow55/TRUFZYcTQgU=
=My5q
-----END PGP SIGNATURE-----
Package upgrade numbering proposal:
Current packages: New Packages:
RH73: bzip2-1.0.2-2 bzip2-1.0.2-2.2.73.legacy
RH9: bzip2-1.0.2-8 bzip2-1.0.2-8.1.90.legacy
FC1: bzip2-1.0.2-10 bzip2-1.0.2-10.1.fc1.legacy
FC2: bzip2-1.0.2-12.1 bzip2-1.0.2-12.2.fc2.legacy
(FC3: bzip2-1.0.2-13.FC3.1)
(per Jesse's RPM Versioning topic at
<http://www.fedoraproject.org/wiki/Legacy/RPMVersioning>)
Sound okay?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated bzip2 packages to QA: 5d843a673e34f8383045441bd1aef708df66e260 bzip2-1.0.2-2.2.73.legacy.src.rpm 26dc1734fbe4b160cc5000b78c36eeec293c20ec bzip2-1.0.2-8.1.90.legacy.src.rpm d75b1602fa73f8976e0f3838a92ab4c4927e1056 bzip2-1.0.2-10.1.fc1.legacy.src.rpm bc1f1c7fe7d2bafac57b9272d4f7c7c566f3da2f bzip2-1.0.2-12.2.fc2.legacy.src.rpm http://members.gtw.net/~deisenst/legacy/RH7.3/SRPMS/bzip2-1.0.2-2.2.73.legacy.src.rpm http://members.gtw.net/~deisenst/legacy/RH9/SRPMS/bzip2-1.0.2-8.1.90.legacy.src.rpm http://members.gtw.net/~deisenst/legacy/FC1/SRPMS/bzip2-1.0.2-10.1.fc1.legacy.src.rpm http://members.gtw.net/~deisenst/legacy/FC2/SRPMS/bzip2-1.0.2-12.2.fc2.legacy.src.rpm Changelogs: (nb: I've munged email addresses here for spambots... Full email addy's are in srpms.) RH73: * Tue Sep 06 2005 David Eisenstein <deisenst@...> 1.0.2-2.2.73.legacy - - changed the bzgrep patch to match RHEL 3's. (per bug 158801#c6) - - added tempfile patch so bzdiff/bzcmp creates tempfiles more securely (from RHEL 3). Also added 2/24 & 3/30/05 changelog items. - - added CVE and bugzilla bug numbers to next 4 changelog items. - - renumbered release from "13.1.73.legacy" to "2.2.73.legacy" in keeping with FL package versioning scheme. * Thu Jun 16 2005 Michal Jaegermann <michal@...> - - resynchronized for rhl7.3 with bzip2-1.0.2-13.FC3.1.src.rpm, #158801 * Wed Jun 08 2005 Jiri Ryska <jryska@...> - - fixed sed flaw in bzgrep #159817, CAN-2005-0758 * Wed May 25 2005 Michal Jaegermann <michal@...> - - recompiled for rhl7.3 #158801 * Thu May 19 2005 Jiri Ryska <jryska@...> - - fixed permission setting for decompressed files #155742, CAN-2005-0953 - - fixed decompression bomb (DoS) #157548, CAN-2005-1260 * Wed Mar 30 2005 Jindrich Novy <jnovy@...> 1.0.2-11.EL3.1 - - update fixed temp creation patch from Jiri Ryska * Thu Feb 24 2005 Jiri Ryska <jryska@...> - - changed tmpfile creation in bzdiff/bzcmp RH9: * Tue Sep 06 2005 David Eisenstein <deisenst@...> 1.0.2-8.1.90.legacy - - Recompiled for Red Hat 9.0. #158801. * Tue Jun 07 2005 Jiri Ryska <jryska@...> - - fixed sed flaw in bzgrep #159817, CAN-2005-0758 * Thu May 19 2005 Jiri Ryska <jryska@...> - - fixed permission setting for decompressed files #155742, CAN-2005-0953 - - fixed decompression bomb (DoS) #157548, CAN-2005-1260 * Wed Mar 30 2005 Jindrich Novy <jnovy@...> 1.0.2-11.EL3.1 - - update fixed temp creation patch from Jiri Ryska * Thu Feb 24 2005 Jiri Ryska <jryska@...> - - changed tmpfile creation in bzdiff/bzcmp FC1: * Sat Sep 03 2005 David Eisenstein <deisenst@...> 1.0.2-10.1.fc1.legacy - - Recompiled for Fedora Core 1. #158801. ... rest same as RH9 above ... FC2: * Tue Sep 06 2005 David Eisenstein <deisenst@...> 1.0.2-12.2.fc2.legacy - - Recompiled for Fedora Core 2. #158801. ... rest same as RH9 above ... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFDHm0Cxou1V/j9XZwRAuj4AKD+uyEGlNCLcwqIZC7JSOuYmp3WjgCfUIWn 0TTk9u4zB2KeGKeH5mNPQ6A= =nmZ0 -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA w/ rpm-build-compare.sh: - patches verified to come from RHEL3. - source integrity good - spec file changes are NOT minimal. FC3 updates appear to be backported to all the releases. These include non-security/critical bugfixes, which could incur breakage. Given that all the FC3 updates are also included in the previous versions, the versioning is a bit odd (I'd expect that the naming be like bzip2-1.0.2-11.xxx for all the versions.) However, the numbering works so it doesn't cause any problem, and RHEL3 updates include some backports as well, so I can assume they work -- so I think these packages are "good enough". +PUBLISH RHL73, RHL9, FC1, FC2 d75b1602fa73f8976e0f3838a92ab4c4927e1056 bzip2-1.0.2-10.1.fc1.legacy.src.rpm bc1f1c7fe7d2bafac57b9272d4f7c7c566f3da2f bzip2-1.0.2-12.2.fc2.legacy.src.rpm 5d843a673e34f8383045441bd1aef708df66e260 bzip2-1.0.2-2.2.73.legacy.src.rpm 26dc1734fbe4b160cc5000b78c36eeec293c20ec bzip2-1.0.2-8.1.90.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFDKQ04GHbTkzxSL7QRAitlAJ9oRi4TYNgb/kkz4M85c6WyzYGKeACgmSAX Xs5/1pdhcF5ZvCzmeXAF/7o= =7SQn -----END PGP SIGNATURE----- Thank you, Pekka. To address your concerns: (In reply to comment #9) > <snip> > - spec file changes are NOT minimal. FC3 updates appear to be > backported to all the releases. These include non-security/critical > bugfixes, which could incur breakage. There were four patches added to the package. @@ -1,3 +1,7 @@ +./bzip2-1.0.2-bomb.patch: ASCII C program text +./bzip2-1.0.2-bzgrep.patch: ASCII text +./bzip2-1.0.2-chmod.patch: ASCII C program text ./bzip2-1.0.2-saneso.patch: ASCII make commands text ./bzip2-1.0.2.tar.gz: gzip compressed data, was "bzip2-1.0.2.tar", from Unix +./bzip2-1.0.2-tempfile.patch: ASCII text ./bzip2.spec: ISO-8859 English text Only one if the new patches appears to be non-security. 1. bomb.patch fixes CAN-2005-1260. 2. bzgrep.patch fixes CAN-2005-0758. 3. chmod.patch fixes CAN-2005-0953. 4. tempfile.patch fixes a bug that makes bzdiff unusable on at least FC1. In the currently-released versions of bzip2 packages, bzdiff attempts to call a program 'tempfile' which does not exist on my system. However, 'mktemp' (which the patch specifies) is provided on all distros we cover, and is reputed to be a secure way of creating files in /tmp/. > Given that all the FC3 updates are > also included in the previous versions, the versioning is a bit odd > (I'd expect that the naming be like bzip2-1.0.2-11.xxx for all the > versions.) What names would you suggest? These names can always be changed at build time. If you have better names, please spell them out so they can be implemented. Am not sure I understand how <http://www.fedoraproject.org/wiki/Legacy/RPMVersioning> fits in. > However, the numbering works so it doesn't cause any problem, and RHEL3 > updates include some backports as well, so I can assume they work -- > so I think these packages are "good enough". Great! > > +PUBLISH RHL73, RHL9, FC1, FC2 Thanks, Pekka, for your publish vote. :-) Sorry, you're right about the patches; I didn't look well enough. The spec file changes the compilation options though. Because all the packages are essentially a respin of the FC2 (FC3?) package (i.e., we didn't do a minimal "backport"), I'd have thought the version numbers would have been maybe something like: bzip2-1.0.2-12.2.0.73.legacy.src.rpm bzip2-1.0.2-12.2.0.90.legacy.src.rpm bzip2-1.0.2-12.2.fc1.legacy.src.rpm bzip2-1.0.2-12.2.fc2.legacy.src.rpm .. this would have made it clearer that you've actually rebuilt a later version on each of the older OS releases, not backported the patches. But as either approach works, I don't see a big problem. Packages were pushed to updates-testing. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 36b3b8abb700fe93d14064ce22176ed59aef0b9b bzip2-1.0.2-8.1.90.legacy.i386.rpm 3ce61caa59d4c9a90e2412ebd5bae76500e4e462 bzip2-devel-1.0.2-8.1.90.legacy.i386.rpm 905c29052192f032dac84be0860013837b65f8d4 bzip2-libs-1.0.2-8.1.90.legacy.i386.rpm installs OK. can use bzip2 to unpack a kernel bz2 tarball, and to pack it up again; sha1sum is unchanged. bzgrep reports being able to find CONFIG lines in the compressed tarball (sorry to use kernel files, but those are about the only things i use bzip with). +VERIFY RH9 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDXzMyePtvKV31zw4RAmWiAJ405pDQq+5scmoKbqVHzAhpPv4X5QCgzaL4 Hc+gt66hOLElx/agY3AgeKI= =XDBO -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA for RHL73; bzgrep, plus regular compress/decompress seems to work fine, so looks good. ++VERIFY RHL73 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFDX7BNGHbTkzxSL7QRAiXOAJ9ag+6trHAfTH78dbLw2AXF5aWQWQCfX9n+ qovo3xsMjPsolsEjWUl5FT8= =PCY6 -----END PGP SIGNATURE----- Timeout in two weeks. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ++VERIFY for RHL 7.3 ++VERIFY for RHL 9 RHL 7.3 Packages: 2d0d5267210ceefd6e2ed80187c2f6e3d994e4a0 bzip2-1.0.2-2.2.73.legacy.i386.rpm e661f6bf518498c375918577fc3414978a190d78 bzip2-devel-1.0.2-2.2.73.legacy.i386.rpm 0c1bd4a4472ca70183b104438db1a9ef98db4969 bzip2-libs-1.0.2-2.2.73.legacy.i386.rpm RHL 9 Packages: 36b3b8abb700fe93d14064ce22176ed59aef0b9b bzip2-1.0.2-8.1.90.legacy.i386.rpm 3ce61caa59d4c9a90e2412ebd5bae76500e4e462 bzip2-devel-1.0.2-8.1.90.legacy.i386.rpm 905c29052192f032dac84be0860013837b65f8d4 bzip2-libs-1.0.2-8.1.90.legacy.i386.rpm SHA1 checksums all match test update advisory. Signatures verify okay. I installed all the packages on a RHL 7.3 machine and on a RHL 9 machine without problem. I used it to pack and unpack some .bz2 archives without any problems. Vote for release for RHL 9 and RHL 7.3. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFDX7xU4jZRbknHoPIRAgUjAJ0fQ6XVGWSx40mXbzKfvD9b1ccfqwCfYQbo YEb3FzR53iDojz+dOXbfzn4= =8Rym -----END PGP SIGNATURE----- *** Bug 157057 has been marked as a duplicate of this bug. *** *** Bug 157058 has been marked as a duplicate of this bug. *** *** Bug 157059 has been marked as a duplicate of this bug. *** *** Bug 157060 has been marked as a duplicate of this bug. *** Timed out. Packages were released. |