Submitted By: Matthew Burgess (matthew at linuxfromscratch dot org)
Origin: http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.1.diff.gz
Date: 2005-05-12
Initial package version: 1.3.5
Description: Fix two security vulnerabilities in gzip: A path traversal
bug when using the -N option (CAN-2005-1228) and a race condition in the
file permission restore code (CAN-2005-0998).

diff -Naur gzip-1.3.5.orig/gzip.c gzip-1.3.5/gzip.c
--- gzip-1.3.5.orig/gzip.c	2002-09-28 07:38:43.000000000 +0000
+++ gzip-1.3.5/gzip.c	2005-05-12 19:15:14.796031360 +0000
@@ -875,8 +875,11 @@
     }
 
     close(ifd);
-    if (!to_stdout && close(ofd)) {
-	write_error();
+    if (!to_stdout) {
+         /* Copy modes, times, ownership, and remove the input file */
+         copy_stat(&istat);
+         if (close(ofd))
+            write_error();
     }
     if (method == -1) {
 	if (!to_stdout) xunlink (ofname);
@@ -896,10 +899,6 @@
 	}
 	fprintf(stderr, "\n");
     }
-    /* Copy modes, times, ownership, and remove the input file */
-    if (!to_stdout) {
-	copy_stat(&istat);
-    }
 }
 
 /* ========================================================================
@@ -1324,6 +1323,8 @@
 			error("corrupted input -- file name too large");
 		    }
 		}
+		char *base2 = base_name (base);
+		strcpy(base, base2);
                 /* If necessary, adapt the name to local OS conventions: */
                 if (!list) {
                    MAKE_LEGAL_NAME(base);
@@ -1725,7 +1726,7 @@
     reset_times(ofname, ifstat);
 #endif
     /* Copy the protection modes */
-    if (chmod(ofname, ifstat->st_mode & 07777)) {
+    if (fchmod(ofd, ifstat->st_mode & 07777)) {
 	int e = errno;
 	WARN((stderr, "%s: ", progname));
 	if (!quiet) {
@@ -1734,7 +1735,7 @@
 	}
     }
 #ifndef NO_CHOWN
-    chown(ofname, ifstat->st_uid, ifstat->st_gid);  /* Copy ownership */
+    fchown(ofd, ifstat->st_uid, ifstat->st_gid);  /* Copy ownership */
 #endif
     remove_ofname = 0;
     /* It's now safe to remove the input file: */