[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#15522: gzcmp/gzdiff + gznew shell scripts use temporary files unsafe
From: |
Rich Burridge |
Subject: |
bug#15522: gzcmp/gzdiff + gznew shell scripts use temporary files unsafely |
Date: |
Thu, 03 Oct 2013 17:18:57 -0700 |
User-agent: |
Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130803 Thunderbird/17.0.8 |
Hi,
We've had a bug reported against the version of gzip that we ship in
Solaris:
"The gzcmp and gzdiff (same script hardlinked) commands shipped with
Solaris
write to a file in the world writable directory '/tmp' if both of its
arguments are compressed files. 'set -C' is used to ensure that the file
doesn't already exist when it's being written to (which prevents a
symlink-based attack), but that allows a mild Denial of Service by creating
this file in advance, which would therefore cause gzcmp / gzdiff to abort.
set -C
trap 'rm -f /tmp/"$F".$$; exit 2' 1 2 13
15 0
gzip -cdfq "$2" > /tmp/"$F".$$ || exit
gznew is similarly impacted:
tmp=/tmp/zfoo.$$
set -C
echo hi > $tmp.1
echo hi > $tmp.2
While it's arguably unlikely that these issues would ever be exploited,
it is suggested that it would be better for these commands to use mktemp."
Thanks.
- bug#15522: gzcmp/gzdiff + gznew shell scripts use temporary files unsafely,
Rich Burridge <=