bug-gzip
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#15522: gzcmp/gzdiff + gznew shell scripts use temporary files unsafe


From: Rich Burridge
Subject: bug#15522: gzcmp/gzdiff + gznew shell scripts use temporary files unsafely
Date: Thu, 03 Oct 2013 17:18:57 -0700
User-agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130803 Thunderbird/17.0.8

Hi,

We've had a bug reported against the version of gzip that we ship in Solaris:

"The gzcmp and gzdiff (same script hardlinked) commands shipped with Solaris
write to a file in the world writable directory '/tmp' if both of its
arguments are compressed files. 'set -C' is used to ensure that the file
doesn't already exist when it's being written to (which prevents a
symlink-based attack), but that allows a mild Denial of Service by creating
this file in advance, which would therefore cause gzcmp / gzdiff to abort.

                              set -C
trap 'rm -f /tmp/"$F".$$; exit 2' 1 2 13 15 0
                              gzip -cdfq "$2" > /tmp/"$F".$$ || exit


gznew is similarly impacted:

      tmp=/tmp/zfoo.$$
      set -C
      echo hi > $tmp.1
      echo hi > $tmp.2

While it's arguably unlikely that these issues would ever be exploited,
it is suggested that it would be better for these commands to use mktemp."

Thanks.





reply via email to

[Prev in Thread] Current Thread [Next in Thread]