lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050414134537.16351.qmail@www.securityfocus.com>
Date: 14 Apr 2005 13:45:37 -0000
From: Steve Grubb <linux_4ever@...oo.com>
To: bugtraq@...urityfocus.com
Subject: Re: gzip TOCTOU file-permissions vulnerability


In-Reply-To: <7389fc4b05040412574f819112@...l.gmail.com>

Since no one has posted a fix...here's a stab at it.

-Steve Grubb

================

diff -ur gzip-1.3.5.orig/gzip.c gzip-1.3.5/gzip.c
--- gzip-1.3.5.orig/gzip.c      2005-04-14 09:25:04.941018504 -0400
+++ gzip-1.3.5/gzip.c   2005-04-14 09:33:36.966178848 -0400
@@ -881,8 +881,11 @@
     }

     close(ifd);
-    if (!to_stdout && close(ofd)) {
-       write_error();
+    if (!to_stdout) {
+        /* Copy modes, times, ownership, and remove the input file */
+        copy_stat(&istat);
+        if (close(ofd))
+           write_error();
     }
     if (method == -1) {
        if (!to_stdout) xunlink (ofname);
@@ -902,10 +905,6 @@
        }
        fprintf(stderr, "\n");
     }
-    /* Copy modes, times, ownership, and remove the input file */
-    if (!to_stdout) {
-       copy_stat(&istat);
-    }
 }

 /* ========================================================================
@@ -1731,7 +1730,7 @@
     reset_times(ofname, ifstat);
 #endif
     /* Copy the protection modes */
-    if (chmod(ofname, ifstat->st_mode & 07777)) {
+    if (fchmod(ofd, ifstat->st_mode & 07777)) {
        int e = errno;
        WARN((stderr, "%s: ", progname));
        if (!quiet) {
@@ -1740,7 +1739,7 @@
        }
     }
 #ifndef NO_CHOWN
-    chown(ofname, ifstat->st_uid, ifstat->st_gid);  /* Copy ownership */
+    (void) fchown(ofd, ifstat->st_uid, ifstat->st_gid);  /* Copy ownership */
 #endif
     remove_ofname = 0;
     /* It's now safe to remove the input file: */


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ