Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 155745

Summary: CAN-2005-0988 Race condition in gzip
Product: Red Hat Enterprise Linux 4 Reporter: Josh Bressers <bressers>
Component: gzipAssignee: Ivana Varekova <varekova>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: low Docs Contact:
Priority: medium    
Version: 4.0Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20050404,source=bugtraq,reported=20050404
Fixed In Version: RHSA-2005-357 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-06-13 12:12:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Attachments:
Description Flags
Proposed patch from Steve Grubb none

Description Josh Bressers 2005-04-22 18:18:09 UTC
Race condition in gzip 1.2.4, 1.3.3, and earlier when decompressing a gzip
allows local users to modify permissions of arbitrary files via a hard link
attack on a file while it is being decompressed, whose permissions are changed
by gzip after the decompression is complete.

http://www.securityfocus.com/archive/1/394965

Comment 1 Josh Bressers 2005-04-22 18:21:03 UTC
This issue should also affect RHEL2.1 and RHEL3.

Comment 2 Josh Bressers 2005-04-29 13:59:33 UTC
Created attachment 113841 [details]
Proposed patch from Steve Grubb

Comment 3 Ivana Varekova 2005-05-03 09:46:47 UTC
The new versions (gzip-1.3.3-11.rhel3, gzip-1.3.3-15.rhel4, gzip-1.3-17.rhel2)
released.
Ivana Varekova

Comment 4 Petter Reinholdtsen 2005-05-20 16:18:37 UTC
This bug has been reported into Debian BTS too.  There, a different
patch is suggested to solve the problem.  The debian patch is a lot
shorter.  Have a look at <URL: http://bugs.debian.org/305255 >.
(Just mentioning it, to give you information about another approach.)


Comment 5 Petter Reinholdtsen 2005-05-20 16:58:33 UTC
I was just confused.  The debian bug I posted is for CAN-2005-1228, and not
this bug.  The currect debian bug for CAN-2005-0988 is #303927.

Comment 6 Josh Bressers 2005-06-13 12:12:58 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-357.html


Comment 7 Derek T. Yarnell 2005-11-30 18:09:59 UTC
This has to be re-opened.  This patch has produced a bug in gzip files over NFS.  The problem crops up 
with the fchmod hanging for a long time and pushing rpciod load through the roof.  Sometimes the gzip 
finishes and sometimes it doesn't.  I can produce the file that hangs the machine (1.2gig file, 
decompresses into 3gig file) please contact derek@umiacs.umd.edu.

I have tested this with the Suse unpatched version of this and since it closes the file first then runs chmod 
it does not hang indefinitely.