Annotation of /trunk/gzip/patches/gzip-1.3.5-security_fixes-1.patch
Parent Directory | Revision Log
Revision 144 -
(hide annotations)
(download)
Tue May 8 20:06:05 2007 UTC (17 years, 4 months ago) by niro
File size: 2022 byte(s)
Tue May 8 20:06:05 2007 UTC (17 years, 4 months ago) by niro
File size: 2022 byte(s)
-import
1 | niro | 144 | Submitted By: Matthew Burgess (matthew at linuxfromscratch dot org) |
2 | Origin: http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.1.diff.gz | ||
3 | Date: 2005-05-12 | ||
4 | Initial package version: 1.3.5 | ||
5 | Description: Fix two security vulnerabilities in gzip: A path traversal | ||
6 | bug when using the -N option (CAN-2005-1228) and a race condition in the | ||
7 | file permission restore code (CAN-2005-0998). | ||
8 | |||
9 | diff -Naur gzip-1.3.5.orig/gzip.c gzip-1.3.5/gzip.c | ||
10 | --- gzip-1.3.5.orig/gzip.c 2002-09-28 07:38:43.000000000 +0000 | ||
11 | +++ gzip-1.3.5/gzip.c 2005-05-12 19:15:14.796031360 +0000 | ||
12 | @@ -875,8 +875,11 @@ | ||
13 | } | ||
14 | |||
15 | close(ifd); | ||
16 | - if (!to_stdout && close(ofd)) { | ||
17 | - write_error(); | ||
18 | + if (!to_stdout) { | ||
19 | + /* Copy modes, times, ownership, and remove the input file */ | ||
20 | + copy_stat(&istat); | ||
21 | + if (close(ofd)) | ||
22 | + write_error(); | ||
23 | } | ||
24 | if (method == -1) { | ||
25 | if (!to_stdout) xunlink (ofname); | ||
26 | @@ -896,10 +899,6 @@ | ||
27 | } | ||
28 | fprintf(stderr, "\n"); | ||
29 | } | ||
30 | - /* Copy modes, times, ownership, and remove the input file */ | ||
31 | - if (!to_stdout) { | ||
32 | - copy_stat(&istat); | ||
33 | - } | ||
34 | } | ||
35 | |||
36 | /* ======================================================================== | ||
37 | @@ -1324,6 +1323,8 @@ | ||
38 | error("corrupted input -- file name too large"); | ||
39 | } | ||
40 | } | ||
41 | + char *base2 = base_name (base); | ||
42 | + strcpy(base, base2); | ||
43 | /* If necessary, adapt the name to local OS conventions: */ | ||
44 | if (!list) { | ||
45 | MAKE_LEGAL_NAME(base); | ||
46 | @@ -1725,7 +1726,7 @@ | ||
47 | reset_times(ofname, ifstat); | ||
48 | #endif | ||
49 | /* Copy the protection modes */ | ||
50 | - if (chmod(ofname, ifstat->st_mode & 07777)) { | ||
51 | + if (fchmod(ofd, ifstat->st_mode & 07777)) { | ||
52 | int e = errno; | ||
53 | WARN((stderr, "%s: ", progname)); | ||
54 | if (!quiet) { | ||
55 | @@ -1734,7 +1735,7 @@ | ||
56 | } | ||
57 | } | ||
58 | #ifndef NO_CHOWN | ||
59 | - chown(ofname, ifstat->st_uid, ifstat->st_gid); /* Copy ownership */ | ||
60 | + fchown(ofd, ifstat->st_uid, ifstat->st_gid); /* Copy ownership */ | ||
61 | #endif | ||
62 | remove_ofname = 0; | ||
63 | /* It's now safe to remove the input file: */ |