Bug 911556 - (CVE-2013-0296) CVE-2013-0296 pigz: Temporary archive representation created with insecure permissions
CVE-2013-0296 pigz: Temporary archive representation created with insecure pe...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20130215,reported=2...
: Reopened, Security
Depends On: 911557 911558
Blocks: 767033
  Show dependency treegraph
 
Reported: 2013-02-15 06:00 EST by Jan Lieskovsky
Modified: 2015-08-21 19:41 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-08-21 19:41:44 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2013-02-15 06:00:57 EST
A security flaw was found in the way pigz, a parallel implementation of gzip, created temporary files to (temporary) store / represent 'to be compressed archive content' (the files were created with world readable permissions). A local attacker could use this flaw to obtain sensitive information (archive content).

References:
[1] http://www.openwall.com/lists/oss-security/2013/02/15/4
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700608
Comment 1 Jan Lieskovsky 2013-02-15 06:03:23 EST
Further issue details from [1]:
-------------------------------
When asked to compress a file with restricted permissions (like
mode 0600), the .gz file pigz creates while doing this has
usual mode derived from umask (like 0644).  If the file is
large enough (and why we would use pigz instead of gzip for
small files), this results in the original content being
readable for everyone until the compression finishes.

Here's the deal:

$ fallocate -l 1G foo
$ chmod 0600 foo
$ pigz foo &
$ ls -l foo foo.gz
-rw------- 1 mjt mjt 1073741824 Feb 15 12:27 foo
-rw-rw-r-- 1 mjt mjt     502516 Feb 15 12:27 foo.gz

When it finishes, it correctly applies original file permissions
to the newly created file, but it is already waaay too late.
Comment 2 Jan Lieskovsky 2013-02-15 06:04:28 EST
Created pigz tracking bugs for this issue

Affects: fedora-all [bug 911557]
Affects: epel-all [bug 911558]
Comment 3 Jan Lieskovsky 2013-02-16 06:42:47 EST
The CVE identifier of CVE-2013-0296 has been assigned to this issue:
  http://www.openwall.com/lists/oss-security/2013/02/16/3
Comment 4 Adel Gadllah 2013-02-16 07:16:54 EST
Please don't copy random bugs from other bug trackers without any attempt to verify that it even applies to fedora / epel.

The bug you mention has been long been fixed in pigz-2.2.5 [1] 

And we have been shipping this version since August 2012.

1: http://mail.zlib.net/pipermail/pigz-announce_zlib.net/2012-July/000006.html
Comment 5 Jan Lieskovsky 2013-02-16 07:24:16 EST
(In reply to comment #4)

Adel, please don't change state on main CVE security bug (it is not just for Fedora and Fedora EPEL products).

> Please don't copy random bugs from other bug trackers without any attempt to
> verify that it even applies to fedora / epel.
> 
> The bug you mention has been long been fixed in pigz-2.2.5 [1] 
> 
> And we have been shipping this version since August 2012.
> 
> 1:
> http://mail.zlib.net/pipermail/pigz-announce_zlib.net/2012-July/000006.html

You are correct. Issue is fixed in pigz versions, as shipped with Fedora EPEL 5, Fedora EPEL 6, and Fedora 18. But not (yet) with Fedora 17. Please schedule that update.
Comment 6 Adel Gadllah 2013-02-16 07:25:27 EST
(In reply to comment #5)
> (In reply to comment #4)
> 
> Adel, please don't change state on main CVE security bug (it is not just for
> Fedora and Fedora EPEL products).
> 
> > Please don't copy random bugs from other bug trackers without any attempt to
> > verify that it even applies to fedora / epel.
> > 
> > The bug you mention has been long been fixed in pigz-2.2.5 [1] 
> > 
> > And we have been shipping this version since August 2012.
> > 
> > 1:
> > http://mail.zlib.net/pipermail/pigz-announce_zlib.net/2012-July/000006.html
> 
> You are correct. Issue is fixed in pigz versions, as shipped with Fedora
> EPEL 5, Fedora EPEL 6, and Fedora 18. But not (yet) with Fedora 17. Please
> schedule that update.

Oh indeed no idea why I didn't update F17 back then my bad will update ASAP.
Comment 7 Jan Lieskovsky 2013-02-16 07:33:33 EST
(In reply to comment #6)
> (In reply to comment #5)
> > (In reply to comment #4)
> > 
> > Adel, please don't change state on main CVE security bug (it is not just for
> > Fedora and Fedora EPEL products).
> > 
> > > Please don't copy random bugs from other bug trackers without any attempt to
> > > verify that it even applies to fedora / epel.
> > > 
> > > The bug you mention has been long been fixed in pigz-2.2.5 [1] 
> > > 
> > > And we have been shipping this version since August 2012.
> > > 
> > > 1:
> > > http://mail.zlib.net/pipermail/pigz-announce_zlib.net/2012-July/000006.html
> > 
> > You are correct. Issue is fixed in pigz versions, as shipped with Fedora
> > EPEL 5, Fedora EPEL 6, and Fedora 18. But not (yet) with Fedora 17. Please
> > schedule that update.
> 
> Oh indeed no idea why I didn't update F17 back then my bad will update ASAP.

Thank you. I am going to open fedora-all one to let it get closed by Bodhi (when the update is done and package pushed).

Thanks for the help.
Comment 8 Fedora Update System 2013-02-25 21:46:16 EST
pigz-2.2.5-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.