GNU bug report logs - #15522
gzcmp/gzdiff + gznew shell scripts use temporary files unsafely

Previous Next

Package: gzip;

Reported by: Rich Burridge <rich.burridge <at> oracle.com>

Date: Fri, 4 Oct 2013 00:21:02 UTC

Severity: normal

Done: Paul Eggert <eggert <at> cs.ucla.edu>

Bug is archived. No further changes may be made.

Full log

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Rich Burridge <rich.burridge <at> oracle.com>
To: bug-gzip <at> gnu.org
Subject: gzcmp/gzdiff + gznew shell scripts use temporary files unsafely
Date: Thu, 03 Oct 2013 17:18:57 -0700

Hi,

We've had a bug reported against the version of gzip that we ship in 
Solaris:

"The gzcmp and gzdiff (same script hardlinked) commands shipped with 
Solaris
write to a file in the world writable directory '/tmp' if both of its
arguments are compressed files. 'set -C' is used to ensure that the file
doesn't already exist when it's being written to (which prevents a
symlink-based attack), but that allows a mild Denial of Service by creating
this file in advance, which would therefore cause gzcmp / gzdiff to abort.

                              set -C
                              trap 'rm -f /tmp/"$F".$$; exit 2' 1 2 13 
15 0
                              gzip -cdfq "$2" > /tmp/"$F".$$ || exit


gznew is similarly impacted:

      tmp=/tmp/zfoo.$$
      set -C
      echo hi > $tmp.1
      echo hi > $tmp.2

While it's arguably unlikely that these issues would ever be exploited,
it is suggested that it would be better for these commands to use mktemp."

Thanks.
This bug report was last modified 11 years and 254 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.