From unknown Fri Jul 11 19:22:05 2025 X-Loop: help-debbugs@gnu.org Subject: bug#15522: gzcmp/gzdiff + gznew shell scripts use temporary files unsafely Resent-From: Rich Burridge Original-Sender: "Debbugs-submit" Resent-CC: bug-gzip@gnu.org Resent-Date: Fri, 04 Oct 2013 00:21:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 15522 X-GNU-PR-Package: gzip X-GNU-PR-Keywords: To: 15522@debbugs.gnu.org X-Debbugs-Original-To: bug-gzip@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.138084600618217 (code B ref -1); Fri, 04 Oct 2013 00:21:02 +0000 Received: (at submit) by debbugs.gnu.org; 4 Oct 2013 00:20:06 +0000 Received: from localhost ([127.0.0.1]:52670 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1VRt7k-0004jj-Ou for submit@debbugs.gnu.org; Thu, 03 Oct 2013 20:20:05 -0400 Received: from eggs.gnu.org ([208.118.235.92]:35227) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1VRt7f-0004jD-Rg for submit@debbugs.gnu.org; Thu, 03 Oct 2013 20:20:00 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1VRt7V-0004vc-Be for submit@debbugs.gnu.org; Thu, 03 Oct 2013 20:19:59 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-0.5 required=5.0 tests=BAYES_05 autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:48468) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VRt7V-0004vY-8S for submit@debbugs.gnu.org; Thu, 03 Oct 2013 20:19:49 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:36910) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VRt7M-00082b-LS for bug-gzip@gnu.org; Thu, 03 Oct 2013 20:19:49 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1VRt7D-0004tK-W8 for bug-gzip@gnu.org; Thu, 03 Oct 2013 20:19:40 -0400 Received: from userp1040.oracle.com ([156.151.31.81]:39818) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VRt7D-0004tE-PC for bug-gzip@gnu.org; Thu, 03 Oct 2013 20:19:31 -0400 Received: from ucsinet21.oracle.com (ucsinet21.oracle.com [156.151.31.93]) by userp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r940JTcE011983 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Fri, 4 Oct 2013 00:19:30 GMT Received: from aserz7021.oracle.com (aserz7021.oracle.com [141.146.126.230]) by ucsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r940JSDq005256 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 4 Oct 2013 00:19:29 GMT Received: from abhmt112.oracle.com (abhmt112.oracle.com [141.146.116.64]) by aserz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r940JSC1014654 for ; Fri, 4 Oct 2013 00:19:28 GMT Received: from [10.0.1.5] (/50.136.242.202) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 03 Oct 2013 17:19:28 -0700 Message-ID: <524E0971.5090200@oracle.com> Date: Thu, 03 Oct 2013 17:18:57 -0700 From: Rich Burridge User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130803 Thunderbird/17.0.8 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Source-IP: ucsinet21.oracle.com [156.151.31.93] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.4.x-2.6.x [generic] X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.0 (----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.0 (----) Hi, We've had a bug reported against the version of gzip that we ship in Solaris: "The gzcmp and gzdiff (same script hardlinked) commands shipped with Solaris write to a file in the world writable directory '/tmp' if both of its arguments are compressed files. 'set -C' is used to ensure that the file doesn't already exist when it's being written to (which prevents a symlink-based attack), but that allows a mild Denial of Service by creating this file in advance, which would therefore cause gzcmp / gzdiff to abort. set -C trap 'rm -f /tmp/"$F".$$; exit 2' 1 2 13 15 0 gzip -cdfq "$2" > /tmp/"$F".$$ || exit gznew is similarly impacted: tmp=/tmp/zfoo.$$ set -C echo hi > $tmp.1 echo hi > $tmp.2 While it's arguably unlikely that these issues would ever be exploited, it is suggested that it would be better for these commands to use mktemp." Thanks. From unknown Fri Jul 11 19:22:05 2025 X-Loop: help-debbugs@gnu.org Subject: bug#15522: gzcmp/gzdiff + gznew shell scripts use temporary files unsafely Resent-From: Paul Eggert Original-Sender: "Debbugs-submit" Resent-CC: bug-gzip@gnu.org Resent-Date: Fri, 04 Oct 2013 01:48:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 15522 X-GNU-PR-Package: gzip X-GNU-PR-Keywords: To: Rich Burridge , 15522@debbugs.gnu.org Received: via spool by 15522-submit@debbugs.gnu.org id=B15522.138085125326018 (code B ref 15522); Fri, 04 Oct 2013 01:48:02 +0000 Received: (at 15522) by debbugs.gnu.org; 4 Oct 2013 01:47:33 +0000 Received: from localhost ([127.0.0.1]:52771 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1VRuUO-0006la-El for submit@debbugs.gnu.org; Thu, 03 Oct 2013 21:47:32 -0400 Received: from smtp.cs.ucla.edu ([131.179.128.62]:50725) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1VRuUL-0006lQ-OF for 15522@debbugs.gnu.org; Thu, 03 Oct 2013 21:47:30 -0400 Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp.cs.ucla.edu (Postfix) with ESMTP id D21D1A60050; Thu, 3 Oct 2013 18:47:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at smtp.cs.ucla.edu Received: from smtp.cs.ucla.edu ([127.0.0.1]) by localhost (smtp.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wympWTIK8y8p; Thu, 3 Oct 2013 18:47:28 -0700 (PDT) Received: from [192.168.1.9] (pool-108-0-233-62.lsanca.fios.verizon.net [108.0.233.62]) by smtp.cs.ucla.edu (Postfix) with ESMTPSA id 7D3E6A60001; Thu, 3 Oct 2013 18:47:28 -0700 (PDT) Message-ID: <524E1E30.8020308@cs.ucla.edu> Date: Thu, 03 Oct 2013 18:47:28 -0700 From: Paul Eggert Organization: UCLA Computer Science Department User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.0 MIME-Version: 1.0 References: <524E0971.5090200@oracle.com> In-Reply-To: <524E0971.5090200@oracle.com> X-Enigmail-Version: 1.5.2 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Score: -3.0 (---) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.0 (---) Rich Burridge wrote: > it would be better for these commands to use mktemp That was done in gzip 1.3.10, released 2006-12-30. Is this not working for you? If not, why not? From unknown Fri Jul 11 19:22:05 2025 X-Loop: help-debbugs@gnu.org Subject: bug#15522: gzcmp/gzdiff + gznew shell scripts use temporary files unsafely Resent-From: Rich Burridge Original-Sender: "Debbugs-submit" Resent-CC: bug-gzip@gnu.org Resent-Date: Fri, 04 Oct 2013 02:38:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 15522 X-GNU-PR-Package: gzip X-GNU-PR-Keywords: To: Paul Eggert Cc: 15522@debbugs.gnu.org Received: via spool by 15522-submit@debbugs.gnu.org id=B15522.138085427530586 (code B ref 15522); Fri, 04 Oct 2013 02:38:03 +0000 Received: (at 15522) by debbugs.gnu.org; 4 Oct 2013 02:37:55 +0000 Received: from localhost ([127.0.0.1]:52824 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1VRvH8-0007xF-6S for submit@debbugs.gnu.org; Thu, 03 Oct 2013 22:37:54 -0400 Received: from userp1040.oracle.com ([156.151.31.81]:23547) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1VRvH3-0007x4-QZ for 15522@debbugs.gnu.org; Thu, 03 Oct 2013 22:37:50 -0400 Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by userp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r942bkmT002842 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 4 Oct 2013 02:37:47 GMT Received: from userz7022.oracle.com (userz7022.oracle.com [156.151.31.86]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r942bjE5018785 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 4 Oct 2013 02:37:46 GMT Received: from abhmt117.oracle.com (abhmt117.oracle.com [141.146.116.69]) by userz7022.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r942biuZ015196; Fri, 4 Oct 2013 02:37:45 GMT Received: from [10.0.1.5] (/50.136.242.202) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 03 Oct 2013 19:37:44 -0700 Message-ID: <524E29D9.9060502@oracle.com> Date: Thu, 03 Oct 2013 19:37:13 -0700 From: Rich Burridge User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130803 Thunderbird/17.0.8 MIME-Version: 1.0 References: <524E0971.5090200@oracle.com> <524E1E30.8020308@cs.ucla.edu> In-Reply-To: <524E1E30.8020308@cs.ucla.edu> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Source-IP: acsinet21.oracle.com [141.146.126.237] X-Spam-Score: -3.0 (---) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.0 (---) On 10/03/2013 06:47 PM, Paul Eggert wrote: > Rich Burridge wrote: >> it would be better for these commands to use mktemp > That was done in gzip 1.3.10, released 2006-12-30. > Is this not working for you? If not, why not? I can see mktemp usage in gzexe.in and zdiff.in, but the Solaris bug report was suggesting the same sort of thing should be done in: zdiff.in: 128 else 129 set -C 130 tmp=${TMPDIR-/tmp}/$F.$$ 131 fi 132 gzip -cdfq -- "$2" > "$tmp" || exit 2 and znew.in: 63 set -C 64 echo hi > $tmp || exit 65 if test -z "`(${CPMOD-cpmod} $tmp $tmp) 2>&1`"; then Sorry, I probably confused things by giving their Solaris g names, and by stating that gzcmp and gzdiff were hard-linked without actually checking (because that's no longer true in the latest versions of the gzip distribution). From unknown Fri Jul 11 19:22:05 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.503 (Entity 5.503) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Rich Burridge Subject: bug#15522: closed (Re: bug#15522: gzcmp/gzdiff + gznew shell scripts use temporary files unsafely) Message-ID: References: <524E409F.7030104@cs.ucla.edu> <524E0971.5090200@oracle.com> X-Gnu-PR-Message: they-closed 15522 X-Gnu-PR-Package: gzip Reply-To: 15522@debbugs.gnu.org Date: Fri, 04 Oct 2013 04:15:04 +0000 Content-Type: multipart/mixed; boundary="----------=_1380860104-6812-1" This is a multi-part message in MIME format... ------------=_1380860104-6812-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #15522: gzcmp/gzdiff + gznew shell scripts use temporary files unsafely which was filed against the gzip package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 15522@debbugs.gnu.org. --=20 15522: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D15522 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1380860104-6812-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 15522-done) by debbugs.gnu.org; 4 Oct 2013 04:14:29 +0000 Received: from localhost ([127.0.0.1]:52911 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1VRwma-0001l3-VQ for submit@debbugs.gnu.org; Fri, 04 Oct 2013 00:14:29 -0400 Received: from smtp.cs.ucla.edu ([131.179.128.62]:56421) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1VRwmX-0001kt-35 for 15522-done@debbugs.gnu.org; Fri, 04 Oct 2013 00:14:26 -0400 Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp.cs.ucla.edu (Postfix) with ESMTP id 71BDEA60052; Thu, 3 Oct 2013 21:14:24 -0700 (PDT) X-Virus-Scanned: amavisd-new at smtp.cs.ucla.edu Received: from smtp.cs.ucla.edu ([127.0.0.1]) by localhost (smtp.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vT9-6NmXhBhC; Thu, 3 Oct 2013 21:14:23 -0700 (PDT) Received: from [192.168.1.9] (pool-108-0-233-62.lsanca.fios.verizon.net [108.0.233.62]) by smtp.cs.ucla.edu (Postfix) with ESMTPSA id 75BA3A60001; Thu, 3 Oct 2013 21:14:23 -0700 (PDT) Message-ID: <524E409F.7030104@cs.ucla.edu> Date: Thu, 03 Oct 2013 21:14:23 -0700 From: Paul Eggert Organization: UCLA Computer Science Department User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.0 MIME-Version: 1.0 To: Rich Burridge Subject: Re: bug#15522: gzcmp/gzdiff + gznew shell scripts use temporary files unsafely References: <524E0971.5090200@oracle.com> <524E1E30.8020308@cs.ucla.edu> <524E29D9.9060502@oracle.com> In-Reply-To: <524E29D9.9060502@oracle.com> X-Enigmail-Version: 1.5.2 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Score: -3.0 (---) X-Debbugs-Envelope-To: 15522-done Cc: 15522-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.0 (---) The zdiff usage of set -C is executed only on older platforms that lack mktemp, so it shouldn't be a problem. znew. What a dinosaur. It's hardly worth fixing, but I installed this: >From b3b5611e046b93fb20aa783d6d11d986f33f91f6 Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Thu, 3 Oct 2013 21:12:09 -0700 Subject: [PATCH] znew: avoid denial-of-service issue Reported by Rich Burridge in . * znew.in: Rewrite to avoid the need for a temporary file in /tmp. That way, we avoid the need for set -C and worrying about denial of service. Use touch -r and chmod --reference rather than cpmod. Assume cp -p works, as it's now universal. Quote 'echo' args better, while we're at it. (warn, tmp, cpmod, cpmodarg): Remove. (GZIP): Unset, so that we needn't test for gzip extension. (ext): Now always '.gz'. * znew.1: Document the change of implementation assumptions. --- znew.1 | 19 +++++++++++++------ znew.in | 51 ++++++++++++++------------------------------------- 2 files changed, 27 insertions(+), 43 deletions(-) diff --git a/znew.1 b/znew.1 index dcdf84f..2a7e5e1 100644 --- a/znew.1 +++ b/znew.1 @@ -32,9 +32,16 @@ Keep a .Z file when it is smaller than the .gz file; implies .SH "SEE ALSO" gzip(1), zmore(1), zdiff(1), zgrep(1), zforce(1), gzexe(1), compress(1) .SH BUGS -.I Znew -does not maintain the time stamp with the -P option if -.I cpmod(1) -is not available and -.I touch(1) -does not support the -r option. +If the +.B \-P +option is used, +.I znew +does not maintain the time stamp if +.IR touch (1) +does not support the +.B \-r +option, and does not maintain permissions if +.IR chmod (1) +does not support the +.B \-\-reference +option. diff --git a/znew.in b/znew.in index 9bd3ce9..d16311a 100644 --- a/znew.in +++ b/znew.in @@ -58,33 +58,9 @@ new=0 block=1024 # block is the disk block size (best guess, need not be exact) -warn="(does not preserve modes and timestamp)" -tmp=${TMPDIR-/tmp}/zfoo.$$ -set -C -echo hi > $tmp || exit -if test -z "`(${CPMOD-cpmod} $tmp $tmp) 2>&1`"; then - cpmod=${CPMOD-cpmod} - warn="" -fi - -if test -z "$cpmod" && ${TOUCH-touch} -r $tmp $tmp 2>/dev/null; then - cpmod="${TOUCH-touch}" - cpmodarg="-r" - warn="(does not preserve file modes)" -fi - -# check if GZIP env. variable uses -S or --suffix -gzip -q $tmp -ext=`echo $tmp* | sed "s|$tmp||"` -rm -f $tmp* -if test -z "$ext"; then - echo znew: error determining gzip extension - exit 1 -fi -if test "$ext" = ".Z"; then - echo znew: cannot use .Z as gzip extension. - exit 1 -fi +# Beware -s or --suffix in $GZIP. +unset GZIP +ext=.gz for arg do @@ -116,26 +92,27 @@ if test -n "$opt"; then fi for i do - n=`echo $i | sed 's/.Z$//'` + n=`echo "$i" | sed 's/.Z$//'` if test ! -f "$n.Z" ; then - echo $n.Z not found + echo "$n.Z not found" res=1; continue fi test $keep -eq 1 && old=`wc -c < "$n.Z"` if test $pipe -eq 1; then if gzip -d < "$n.Z" | gzip $opt > "$n$ext"; then # Copy file attributes from old file to new one, if possible. - test -n "$cpmod" && $cpmod $cpmodarg "$n.Z" "$n$ext" 2> /dev/null + touch -r"$n.Z" -- "$n$ext" 2>/dev/null + chmod --reference="$n.Z" -- "$n$ext" 2>/dev/null else - echo error while recompressing $n.Z + echo "error while recompressing $n.Z" res=1; continue fi else if test $check -eq 1; then - if cp -p "$n.Z" "$n.$$" 2> /dev/null || cp "$n.Z" "$n.$$"; then + if cp -p "$n.Z" "$n.$$"; then : else - echo cannot backup "$n.Z" + echo "cannot backup $n.Z" res=1; continue fi fi @@ -143,7 +120,7 @@ for i do : else test $check -eq 1 && mv "$n.$$" "$n.Z" - echo error while uncompressing $n.Z + echo "error while uncompressing $n.Z" res=1; continue fi if gzip $opt "$n"; then @@ -151,10 +128,10 @@ for i do else if test $check -eq 1; then mv "$n.$$" "$n.Z" && rm -f "$n" - echo error while recompressing $n + echo "error while recompressing $n" else # compress $n (might be dangerous if disk full) - echo error while recompressing $n, left uncompressed + echo "error while recompressing $n, left uncompressed" fi res=1; continue fi @@ -175,7 +152,7 @@ for i do else test $pipe -eq 0 && mv "$n.$$" "$n.Z" rm -f "$n$ext" - echo error while testing $n$ext, $n.Z unchanged + echo "error while testing $n$ext, $n.Z unchanged" res=1; continue fi elif test $pipe -eq 1; then -- 1.8.3.1 ------------=_1380860104-6812-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 4 Oct 2013 00:20:06 +0000 Received: from localhost ([127.0.0.1]:52670 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1VRt7k-0004jj-Ou for submit@debbugs.gnu.org; Thu, 03 Oct 2013 20:20:05 -0400 Received: from eggs.gnu.org ([208.118.235.92]:35227) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1VRt7f-0004jD-Rg for submit@debbugs.gnu.org; Thu, 03 Oct 2013 20:20:00 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1VRt7V-0004vc-Be for submit@debbugs.gnu.org; Thu, 03 Oct 2013 20:19:59 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-0.5 required=5.0 tests=BAYES_05 autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:48468) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VRt7V-0004vY-8S for submit@debbugs.gnu.org; Thu, 03 Oct 2013 20:19:49 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:36910) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VRt7M-00082b-LS for bug-gzip@gnu.org; Thu, 03 Oct 2013 20:19:49 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1VRt7D-0004tK-W8 for bug-gzip@gnu.org; Thu, 03 Oct 2013 20:19:40 -0400 Received: from userp1040.oracle.com ([156.151.31.81]:39818) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VRt7D-0004tE-PC for bug-gzip@gnu.org; Thu, 03 Oct 2013 20:19:31 -0400 Received: from ucsinet21.oracle.com (ucsinet21.oracle.com [156.151.31.93]) by userp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r940JTcE011983 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Fri, 4 Oct 2013 00:19:30 GMT Received: from aserz7021.oracle.com (aserz7021.oracle.com [141.146.126.230]) by ucsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r940JSDq005256 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 4 Oct 2013 00:19:29 GMT Received: from abhmt112.oracle.com (abhmt112.oracle.com [141.146.116.64]) by aserz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r940JSC1014654 for ; Fri, 4 Oct 2013 00:19:28 GMT Received: from [10.0.1.5] (/50.136.242.202) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 03 Oct 2013 17:19:28 -0700 Message-ID: <524E0971.5090200@oracle.com> Date: Thu, 03 Oct 2013 17:18:57 -0700 From: Rich Burridge User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130803 Thunderbird/17.0.8 MIME-Version: 1.0 To: bug-gzip@gnu.org Subject: gzcmp/gzdiff + gznew shell scripts use temporary files unsafely Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Source-IP: ucsinet21.oracle.com [156.151.31.93] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.4.x-2.6.x [generic] X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.0 (----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.0 (----) Hi, We've had a bug reported against the version of gzip that we ship in Solaris: "The gzcmp and gzdiff (same script hardlinked) commands shipped with Solaris write to a file in the world writable directory '/tmp' if both of its arguments are compressed files. 'set -C' is used to ensure that the file doesn't already exist when it's being written to (which prevents a symlink-based attack), but that allows a mild Denial of Service by creating this file in advance, which would therefore cause gzcmp / gzdiff to abort. set -C trap 'rm -f /tmp/"$F".$$; exit 2' 1 2 13 15 0 gzip -cdfq "$2" > /tmp/"$F".$$ || exit gznew is similarly impacted: tmp=/tmp/zfoo.$$ set -C echo hi > $tmp.1 echo hi > $tmp.2 While it's arguably unlikely that these issues would ever be exploited, it is suggested that it would be better for these commands to use mktemp." Thanks. ------------=_1380860104-6812-1-- From unknown Fri Jul 11 19:22:05 2025 X-Loop: help-debbugs@gnu.org Subject: bug#15522: gzcmp/gzdiff + gznew shell scripts use temporary files unsafely Resent-From: Rich Burridge Original-Sender: "Debbugs-submit" Resent-CC: bug-gzip@gnu.org Resent-Date: Fri, 04 Oct 2013 04:18:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 15522 X-GNU-PR-Package: gzip X-GNU-PR-Keywords: To: Paul Eggert Cc: 15522-done@debbugs.gnu.org Received: via spool by 15522-done@debbugs.gnu.org id=D15522.13808602447099 (code D ref 15522); Fri, 04 Oct 2013 04:18:03 +0000 Received: (at 15522-done) by debbugs.gnu.org; 4 Oct 2013 04:17:24 +0000 Received: from localhost ([127.0.0.1]:52923 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1VRwpQ-0001qR-Aj for submit@debbugs.gnu.org; Fri, 04 Oct 2013 00:17:24 -0400 Received: from aserp1040.oracle.com ([141.146.126.69]:39047) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1VRwpN-0001qB-TS for 15522-done@debbugs.gnu.org; Fri, 04 Oct 2013 00:17:22 -0400 Received: from ucsinet21.oracle.com (ucsinet21.oracle.com [156.151.31.93]) by aserp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r944HCN4030921 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 4 Oct 2013 04:17:13 GMT Received: from aserz7022.oracle.com (aserz7022.oracle.com [141.146.126.231]) by ucsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r944HBdl017175 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 4 Oct 2013 04:17:12 GMT Received: from abhmt118.oracle.com (abhmt118.oracle.com [141.146.116.70]) by aserz7022.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r944HBIb026797; Fri, 4 Oct 2013 04:17:11 GMT Received: from [10.0.1.5] (/50.136.242.202) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 03 Oct 2013 21:17:11 -0700 Message-ID: <524E4128.9000804@oracle.com> Date: Thu, 03 Oct 2013 21:16:40 -0700 From: Rich Burridge User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130803 Thunderbird/17.0.8 MIME-Version: 1.0 References: <524E0971.5090200@oracle.com> <524E1E30.8020308@cs.ucla.edu> <524E29D9.9060502@oracle.com> <524E409F.7030104@cs.ucla.edu> In-Reply-To: <524E409F.7030104@cs.ucla.edu> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Source-IP: ucsinet21.oracle.com [156.151.31.93] X-Spam-Score: -3.0 (---) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.0 (---) On 10/03/2013 09:14 PM, Paul Eggert wrote: > The zdiff usage of set -C is executed only on older > platforms that lack mktemp, so it shouldn't be a problem. Okay. > > znew. What a dinosaur. It's hardly worth fixing, but I > installed this: Excellent. We'll use a similar patch against the version we current have. Thanks. From unknown Fri Jul 11 19:22:05 2025 X-Loop: help-debbugs@gnu.org Subject: bug#15522: gzcmp/gzdiff + gznew shell scripts use temporary files unsafely Resent-From: Jim Meyering Original-Sender: "Debbugs-submit" Resent-CC: bug-gzip@gnu.org Resent-Date: Fri, 04 Oct 2013 04:26:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 15522 X-GNU-PR-Package: gzip X-GNU-PR-Keywords: To: Rich Burridge Cc: 15522@debbugs.gnu.org, Paul Eggert Received: via spool by 15522-submit@debbugs.gnu.org id=B15522.13808607347809 (code B ref 15522); Fri, 04 Oct 2013 04:26:02 +0000 Received: (at 15522) by debbugs.gnu.org; 4 Oct 2013 04:25:34 +0000 Received: from localhost ([127.0.0.1]:52938 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1VRwxJ-00021s-DW for submit@debbugs.gnu.org; Fri, 04 Oct 2013 00:25:33 -0400 Received: from mail-pd0-f172.google.com ([209.85.192.172]:35411) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1VRwxE-00021h-3n for 15522@debbugs.gnu.org; Fri, 04 Oct 2013 00:25:29 -0400 Received: by mail-pd0-f172.google.com with SMTP id z10so3425255pdj.17 for <15522@debbugs.gnu.org>; Thu, 03 Oct 2013 21:25:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=ab2ZVAkFIUzxEm2mtYAee3mgXj/wvlPriUkx7KpptWU=; b=Xl4wnvtHSweDx2SrIvyBiRZkZJQA6FQ0IfPOVUKBWAEIeJ79r3u1JYxLatN5D6/h1e JhYhQ/BOqkFRxsc4HJG7S+LBMdisrR6Mt7Sa1B7Ezx7xo5/c5tCgGbTbJI59XUJRoHy3 s8ss15IrWiYim3i28TTSBncR7I3Vz/JkJOI81CqdLT/Otbpwux/UAM8GOpTaixzjIP0I EYuE1xoHoWaLhHVFMWcKxJncKRKyBuNL3bgEyvwJZPQ+AiL5i/2FQFrL8fZZG65g0PZt AqA/bOSe5JMF7N9B/wFzBAhAaO74KWioaLLfQre35ldgb7mUuy+HbRYz7ZywptwDRj1T JbMw== X-Received: by 10.68.129.135 with SMTP id nw7mr50843pbb.200.1380860727094; Thu, 03 Oct 2013 21:25:27 -0700 (PDT) MIME-Version: 1.0 Received: by 10.68.6.66 with HTTP; Thu, 3 Oct 2013 21:25:06 -0700 (PDT) In-Reply-To: <524E29D9.9060502@oracle.com> References: <524E0971.5090200@oracle.com> <524E1E30.8020308@cs.ucla.edu> <524E29D9.9060502@oracle.com> From: Jim Meyering Date: Thu, 3 Oct 2013 21:25:06 -0700 X-Google-Sender-Auth: wmXMymv5GyVIPxzKjxXOp_0QfsQ Message-ID: Content-Type: text/plain; charset=ISO-8859-1 X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.0 (/) On Thu, Oct 3, 2013 at 7:37 PM, Rich Burridge wrote: ... > Sorry, I probably confused things by giving their Solaris g names, > and by stating that gzcmp and gzdiff were hard-linked without actually > checking > (because that's no longer true in the latest versions of the gzip > distribution). tags 15522 notabug close 15522 thanks Thanks for the report. Since that problem was fixed long ago, I'm marking this ticket as "done". If I've misunderstood, please let us know and I'll reopen it. From unknown Fri Jul 11 19:22:05 2025 X-Loop: help-debbugs@gnu.org Subject: bug#15522: gzcmp/gzdiff + gznew shell scripts use temporary files unsafely Resent-From: Rich Burridge Original-Sender: "Debbugs-submit" Resent-CC: bug-gzip@gnu.org Resent-Date: Fri, 04 Oct 2013 04:29:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 15522 X-GNU-PR-Package: gzip X-GNU-PR-Keywords: To: Jim Meyering Cc: 15522@debbugs.gnu.org, Paul Eggert Received: via spool by 15522-submit@debbugs.gnu.org id=B15522.13808608938047 (code B ref 15522); Fri, 04 Oct 2013 04:29:01 +0000 Received: (at 15522) by debbugs.gnu.org; 4 Oct 2013 04:28:13 +0000 Received: from localhost ([127.0.0.1]:52944 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1VRwzs-00025j-Jr for submit@debbugs.gnu.org; Fri, 04 Oct 2013 00:28:12 -0400 Received: from aserp1040.oracle.com ([141.146.126.69]:41122) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1VRwzq-00025a-3F for 15522@debbugs.gnu.org; Fri, 04 Oct 2013 00:28:10 -0400 Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by aserp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r944S8iK004947 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 4 Oct 2013 04:28:08 GMT Received: from aserz7021.oracle.com (aserz7021.oracle.com [141.146.126.230]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r944S716021222 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 4 Oct 2013 04:28:08 GMT Received: from abhmt101.oracle.com (abhmt101.oracle.com [141.146.116.53]) by aserz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r944S7Nm021216; Fri, 4 Oct 2013 04:28:07 GMT Received: from [10.0.1.5] (/50.136.242.202) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 03 Oct 2013 21:28:07 -0700 Message-ID: <524E43B8.50706@oracle.com> Date: Thu, 03 Oct 2013 21:27:36 -0700 From: Rich Burridge User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130803 Thunderbird/17.0.8 MIME-Version: 1.0 References: <524E0971.5090200@oracle.com> <524E1E30.8020308@cs.ucla.edu> <524E29D9.9060502@oracle.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Source-IP: acsinet21.oracle.com [141.146.126.237] X-Spam-Score: -3.0 (---) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.0 (---) On 10/03/2013 09:25 PM, Jim Meyering wrote: > On Thu, Oct 3, 2013 at 7:37 PM, Rich Burridge wrote: > ... >> Sorry, I probably confused things by giving their Solaris g names, >> and by stating that gzcmp and gzdiff were hard-linked without actually >> checking >> (because that's no longer true in the latest versions of the gzip >> distribution). > tags 15522 notabug > close 15522 > thanks > > Thanks for the report. > Since that problem was fixed long ago, I'm marking this ticket as "done". > If I've misunderstood, please let us know and I'll reopen it. Well I guess I'm confused now. If Paul has just generated a patch to change things, how can you consider this to not be a bug? From unknown Fri Jul 11 19:22:05 2025 X-Loop: help-debbugs@gnu.org Subject: bug#15522: gzcmp/gzdiff + gznew shell scripts use temporary files unsafely Resent-From: Jim Meyering Original-Sender: "Debbugs-submit" Resent-CC: bug-gzip@gnu.org Resent-Date: Fri, 04 Oct 2013 13:59:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 15522 X-GNU-PR-Package: gzip X-GNU-PR-Keywords: To: Rich Burridge Cc: 15522 <15522@debbugs.gnu.org>, Paul Eggert Received: via spool by 15522-submit@debbugs.gnu.org id=B15522.13808951193881 (code B ref 15522); Fri, 04 Oct 2013 13:59:02 +0000 Received: (at 15522) by debbugs.gnu.org; 4 Oct 2013 13:58:39 +0000 Received: from localhost ([127.0.0.1]:53947 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1VS5tv-00010X-3q for submit@debbugs.gnu.org; Fri, 04 Oct 2013 09:58:39 -0400 Received: from mail-pd0-f175.google.com ([209.85.192.175]:47110) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1VS5tt-00010P-RE for 15522@debbugs.gnu.org; Fri, 04 Oct 2013 09:58:38 -0400 Received: by mail-pd0-f175.google.com with SMTP id q10so3989965pdj.20 for <15522@debbugs.gnu.org>; Fri, 04 Oct 2013 06:58:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=WjReD6NyEaJ8XTCx/Yii2tw/4NXTrzX0QlVYfVCn5+k=; b=OsXpeNGeit8FKuTWPjUmubL9zZs4HyVIIcpKoDp4t7eYH2iZtvby1+F7H1+7v17JFc I2tVGcvR83EZNRx0U0+xL8jbNfnMKRNfXVgiw6nS8AjenLDmC/hbd1QwRPAMo+JfCfWq F2miNPA+aMIupbEwntu0U/PtxkRZ9/UWQAOcjyaD6NlUx4cGfdk9ddyUtlEav4KdYDkL sJeXe7sJ7InVmIK+HnA52tC0TVv/i9a5XIER+K7nVlrSrdLsN5w8dg26e7MMBEhwCSXY nXsjlU3tjkxTgGG827kHQ6g6MAq6JtTRvDT3D/YvRcHh72Iemebnx37FKyFg2Sial6ic yM4A== X-Received: by 10.67.23.164 with SMTP id ib4mr15983071pad.42.1380895116497; Fri, 04 Oct 2013 06:58:36 -0700 (PDT) MIME-Version: 1.0 Received: by 10.68.6.66 with HTTP; Fri, 4 Oct 2013 06:58:16 -0700 (PDT) In-Reply-To: <524E43B8.50706@oracle.com> References: <524E0971.5090200@oracle.com> <524E1E30.8020308@cs.ucla.edu> <524E29D9.9060502@oracle.com> <524E43B8.50706@oracle.com> From: Jim Meyering Date: Fri, 4 Oct 2013 06:58:16 -0700 X-Google-Sender-Auth: HpD5fwKXP4b0x8S-DKB2dDg2GrI Message-ID: Content-Type: text/plain; charset=ISO-8859-1 X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.0 (/) Sorry. The notabug tag is inaccurate. I'll remove it.