Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 152857 - CAN-2004-0970 gzip temporary files issues
Summary: CAN-2004-0970 gzip temporary files issues
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora Legacy
Classification: Retired
Component: Package request
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Fedora Legacy Bugs
QA Contact:
URL: https://bugzilla.redhat.com/bugzilla/...
Whiteboard: 1, LEGACY, rh73, rh90
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-11-20 10:46 UTC by Marc Deslauriers
Modified: 2008-05-01 15:38 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description David Lawrence 2005-03-30 23:29:53 UTC
ustix has discovered temporary file bugs in gzexe, zdiff and znew
which could allow a local user to overwrite arbitrary files by
creating specially named symlinks.

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=139360
http://www.debian.org/security/2004/dsa-588



------- Additional Comments From rob.myers@gtri.gatech.edu 2004-11-29 11:53:45 ----

afaict, this does not apply to gzip-1.3.3-11 on fc1.  of course that does not
explain why redhat is looking at this issue for RHEL3 and RHEL4...  i guess i'll
keep an eye on any patches that they release.

can someone else confirm/deny this?



------- Additional Comments From siegert@sfu.ca 2005-01-07 11:12:44 ----

Created an attachment (id=962)
CAN-2004-0970 for gzip-1.3.3

This is the only part of the Debian patch that seems to apply to gzip-1.3.3 -
if at all.



------- Additional Comments From pekkas@netcore.fi 2005-02-15 07:17:37 ----

Hmm.  Red Hat has already included a hardened version of the script; from
changelogs:

* Fri Oct 26 2001 Trond Eivind Glomsr&#65533;d <teg@redhat.com> 1.3.0-16
- replace tempfile patches with improved ones solar@openwall.com
- Add less to the dependency chain - zless needs it

Can anyone check this out?  Maybe we can close this as NOTABUG.



------- Additional Comments From marcdeslauriers@videotron.ca 2005-03-05 20:11:20 ----

Yep. Confirmed. This was already fixed.






------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:29 -------

This bug previously known as bug 2292 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2292
Originally filed under the Fedora Legacy product and Package request component.

Attachments:
CAN-2004-0970 for gzip-1.3.3
https://bugzilla.fedora.us/attachment.cgi?action=view&id=962

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.




Note You need to log in before you can comment on or make changes to this bug.