911556 – (CVE-2013-0296) CVE-2013-0296 pigz: Temporary archive representation created with insecure permissions

Bug 911556 (CVE-2013-0296) - CVE-2013-0296 pigz: Temporary archive representation created with insecure permissions

Summary: CVE-2013-0296 pigz: Temporary archive representation created with insecure pe...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2013-0296
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	911557 911558
Blocks:	767033
TreeView+	depends on / blocked

Reported:	2013-02-15 11:00 UTC by Jan Lieskovsky
Modified:	2019-09-29 13:00 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2015-08-21 23:41:44 UTC
Embargoed:

Attachments	(Terms of Use)

Description Jan Lieskovsky 2013-02-15 11:00:57 UTC

A security flaw was found in the way pigz, a parallel implementation of gzip, created temporary files to (temporary) store / represent 'to be compressed archive content' (the files were created with world readable permissions). A local attacker could use this flaw to obtain sensitive information (archive content).

References:
[1] http://www.openwall.com/lists/oss-security/2013/02/15/4
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700608

Comment 1 Jan Lieskovsky 2013-02-15 11:03:23 UTC

Further issue details from [1]:
-------------------------------
When asked to compress a file with restricted permissions (like
mode 0600), the .gz file pigz creates while doing this has
usual mode derived from umask (like 0644).  If the file is
large enough (and why we would use pigz instead of gzip for
small files), this results in the original content being
readable for everyone until the compression finishes.

Here's the deal:

$ fallocate -l 1G foo
$ chmod 0600 foo
$ pigz foo &
$ ls -l foo foo.gz
-rw------- 1 mjt mjt 1073741824 Feb 15 12:27 foo
-rw-rw-r-- 1 mjt mjt     502516 Feb 15 12:27 foo.gz

When it finishes, it correctly applies original file permissions
to the newly created file, but it is already waaay too late.

Comment 2 Jan Lieskovsky 2013-02-15 11:04:28 UTC

Created pigz tracking bugs for this issue

Affects: fedora-all [bug 911557]
Affects: epel-all [bug 911558]

Comment 3 Jan Lieskovsky 2013-02-16 11:42:47 UTC

The CVE identifier of CVE-2013-0296 has been assigned to this issue:
  http://www.openwall.com/lists/oss-security/2013/02/16/3

Comment 4 Adel Gadllah 2013-02-16 12:16:54 UTC

Please don't copy random bugs from other bug trackers without any attempt to verify that it even applies to fedora / epel.

The bug you mention has been long been fixed in pigz-2.2.5 [1] 

And we have been shipping this version since August 2012.

1: http://mail.zlib.net/pipermail/pigz-announce_zlib.net/2012-July/000006.html

Comment 5 Jan Lieskovsky 2013-02-16 12:24:16 UTC

(In reply to comment #4)

Adel, please don't change state on main CVE security bug (it is not just for Fedora and Fedora EPEL products).

> Please don't copy random bugs from other bug trackers without any attempt to
> verify that it even applies to fedora / epel.
> 
> The bug you mention has been long been fixed in pigz-2.2.5 [1] 
> 
> And we have been shipping this version since August 2012.
> 
> 1:
> http://mail.zlib.net/pipermail/pigz-announce_zlib.net/2012-July/000006.html

You are correct. Issue is fixed in pigz versions, as shipped with Fedora EPEL 5, Fedora EPEL 6, and Fedora 18. But not (yet) with Fedora 17. Please schedule that update.

Comment 6 Adel Gadllah 2013-02-16 12:25:27 UTC

(In reply to comment #5)
> (In reply to comment #4)
> 
> Adel, please don't change state on main CVE security bug (it is not just for
> Fedora and Fedora EPEL products).
> 
> > Please don't copy random bugs from other bug trackers without any attempt to
> > verify that it even applies to fedora / epel.
> > 
> > The bug you mention has been long been fixed in pigz-2.2.5 [1] 
> > 
> > And we have been shipping this version since August 2012.
> > 
> > 1:
> > http://mail.zlib.net/pipermail/pigz-announce_zlib.net/2012-July/000006.html
> 
> You are correct. Issue is fixed in pigz versions, as shipped with Fedora
> EPEL 5, Fedora EPEL 6, and Fedora 18. But not (yet) with Fedora 17. Please
> schedule that update.

Oh indeed no idea why I didn't update F17 back then my bad will update ASAP.

Comment 7 Jan Lieskovsky 2013-02-16 12:33:33 UTC

(In reply to comment #6)
> (In reply to comment #5)
> > (In reply to comment #4)
> > 
> > Adel, please don't change state on main CVE security bug (it is not just for
> > Fedora and Fedora EPEL products).
> > 
> > > Please don't copy random bugs from other bug trackers without any attempt to
> > > verify that it even applies to fedora / epel.
> > > 
> > > The bug you mention has been long been fixed in pigz-2.2.5 [1] 
> > > 
> > > And we have been shipping this version since August 2012.
> > > 
> > > 1:
> > > http://mail.zlib.net/pipermail/pigz-announce_zlib.net/2012-July/000006.html
> > 
> > You are correct. Issue is fixed in pigz versions, as shipped with Fedora
> > EPEL 5, Fedora EPEL 6, and Fedora 18. But not (yet) with Fedora 17. Please
> > schedule that update.
> 
> Oh indeed no idea why I didn't update F17 back then my bad will update ASAP.

Thank you. I am going to open fedora-all one to let it get closed by Bodhi (when the update is done and package pushed).

Thanks for the help.

Comment 8 Fedora Update System 2013-02-26 02:46:16 UTC

pigz-2.2.5-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.