gzip/patches/gzip-1.3.5-security_fixes-1.patch

Submitted By: Matthew Burgess (matthew at linuxfromscratch dot org)
Origin: http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.1.diff.gz
Date: 2005-05-12
Initial package version: 1.3.5
Description: Fix two security vulnerabilities in gzip: A path traversal
bug when using the -N option (CAN-2005-1228) and a race condition in the
file permission restore code (CAN-2005-0998).

diff -Naur gzip-1.3.5.orig/gzip.c gzip-1.3.5/gzip.c
--- gzip-1.3.5.orig/gzip.c	2002-09-28 07:38:43.000000000 +0000
+++ gzip-1.3.5/gzip.c	2005-05-12 19:15:14.796031360 +0000
@@ -875,8 +875,11 @@
     }
 
     close(ifd);
-    if (!to_stdout && close(ofd)) {
-	write_error();
+    if (!to_stdout) {
+         /* Copy modes, times, ownership, and remove the input file */
+         copy_stat(&istat);
+         if (close(ofd))
+            write_error();
     }
     if (method == -1) {
 	if (!to_stdout) xunlink (ofname);
@@ -896,10 +899,6 @@
 	}
 	fprintf(stderr, "\n");
     }
-    /* Copy modes, times, ownership, and remove the input file */
-    if (!to_stdout) {
-	copy_stat(&istat);
-    }
 }
 
 /* ========================================================================
@@ -1324,6 +1323,8 @@
 			error("corrupted input -- file name too large");
 		    }
 		}
+		char *base2 = base_name (base);
+		strcpy(base, base2);
                 /* If necessary, adapt the name to local OS conventions: */
                 if (!list) {
                    MAKE_LEGAL_NAME(base);
@@ -1725,7 +1726,7 @@
     reset_times(ofname, ifstat);
 #endif
     /* Copy the protection modes */
-    if (chmod(ofname, ifstat->st_mode & 07777)) {
+    if (fchmod(ofd, ifstat->st_mode & 07777)) {
 	int e = errno;
 	WARN((stderr, "%s: ", progname));
 	if (!quiet) {
@@ -1734,7 +1735,7 @@
 	}
     }
 #ifndef NO_CHOWN
-    chown(ofname, ifstat->st_uid, ifstat->st_gid);  /* Copy ownership */
+    fchown(ofd, ifstat->st_uid, ifstat->st_gid);  /* Copy ownership */
 #endif
     remove_ofname = 0;
     /* It's now safe to remove the input file: */
1	niro	144	Submitted By: Matthew Burgess (matthew at linuxfromscratch dot org)
2			Origin: http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.1.diff.gz
3			Date: 2005-05-12
4			Initial package version: 1.3.5
5			Description: Fix two security vulnerabilities in gzip: A path traversal
6			bug when using the -N option (CAN-2005-1228) and a race condition in the
7			file permission restore code (CAN-2005-0998).
8
9			diff -Naur gzip-1.3.5.orig/gzip.c gzip-1.3.5/gzip.c
10			--- gzip-1.3.5.orig/gzip.c 2002-09-28 07:38:43.000000000 +0000
11			+++ gzip-1.3.5/gzip.c 2005-05-12 19:15:14.796031360 +0000
12			@@ -875,8 +875,11 @@
13			}
14
15			close(ifd);
16			- if (!to_stdout && close(ofd)) {
17			- write_error();
18			+ if (!to_stdout) {
19			+ /* Copy modes, times, ownership, and remove the input file */
20			+ copy_stat(&istat);
21			+ if (close(ofd))
22			+ write_error();
23			}
24			if (method == -1) {
25			if (!to_stdout) xunlink (ofname);
26			@@ -896,10 +899,6 @@
27			}
28			fprintf(stderr, "\n");
29			}
30			- /* Copy modes, times, ownership, and remove the input file */
31			- if (!to_stdout) {
32			- copy_stat(&istat);
33			- }
34			}
35
36			/* ========================================================================
37			@@ -1324,6 +1323,8 @@
38			error("corrupted input -- file name too large");
39			}
40			}
41			+ char *base2 = base_name (base);
42			+ strcpy(base, base2);
43			/* If necessary, adapt the name to local OS conventions: */
44			if (!list) {
45			MAKE_LEGAL_NAME(base);
46			@@ -1725,7 +1726,7 @@
47			reset_times(ofname, ifstat);
48			#endif
49			/* Copy the protection modes */
50			- if (chmod(ofname, ifstat->st_mode & 07777)) {
51			+ if (fchmod(ofd, ifstat->st_mode & 07777)) {
52			int e = errno;
53			WARN((stderr, "%s: ", progname));
54			if (!quiet) {
55			@@ -1734,7 +1735,7 @@
56			}
57			}
58			#ifndef NO_CHOWN
59			- chown(ofname, ifstat->st_uid, ifstat->st_gid); /* Copy ownership */
60			+ fchown(ofd, ifstat->st_uid, ifstat->st_gid); /* Copy ownership */
61			#endif
62			remove_ofname = 0;
63			/* It's now safe to remove the input file: */