]>
Commit | Line | Data |
---|---|---|
dd714b8a MT |
1 | Submitted By: Matthew Burgess (matthew at linuxfromscratch dot org) |
2 | Origin: http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.1.diff.gz | |
3 | Date: 2005-05-12 | |
4 | Initial package version: 1.3.5 | |
5 | Description: Fix two security vulnerabilities in gzip: A path traversal | |
6 | bug when using the -N option (CAN-2005-1228) and a race condition in the | |
7 | file permission restore code (CAN-2005-0998). | |
8 | ||
9 | diff -Naur gzip-1.3.5.orig/gzip.c gzip-1.3.5/gzip.c | |
10 | --- gzip-1.3.5.orig/gzip.c 2002-09-28 07:38:43.000000000 +0000 | |
11 | +++ gzip-1.3.5/gzip.c 2005-05-12 19:15:14.796031360 +0000 | |
12 | @@ -875,8 +875,11 @@ | |
13 | } | |
14 | ||
15 | close(ifd); | |
16 | - if (!to_stdout && close(ofd)) { | |
17 | - write_error(); | |
18 | + if (!to_stdout) { | |
19 | + /* Copy modes, times, ownership, and remove the input file */ | |
20 | + copy_stat(&istat); | |
21 | + if (close(ofd)) | |
22 | + write_error(); | |
23 | } | |
24 | if (method == -1) { | |
25 | if (!to_stdout) xunlink (ofname); | |
26 | @@ -896,10 +899,6 @@ | |
27 | } | |
28 | fprintf(stderr, "\n"); | |
29 | } | |
30 | - /* Copy modes, times, ownership, and remove the input file */ | |
31 | - if (!to_stdout) { | |
32 | - copy_stat(&istat); | |
33 | - } | |
34 | } | |
35 | ||
36 | /* ======================================================================== | |
37 | @@ -1324,6 +1323,8 @@ | |
38 | error("corrupted input -- file name too large"); | |
39 | } | |
40 | } | |
41 | + char *base2 = base_name (base); | |
42 | + strcpy(base, base2); | |
43 | /* If necessary, adapt the name to local OS conventions: */ | |
44 | if (!list) { | |
45 | MAKE_LEGAL_NAME(base); | |
46 | @@ -1725,7 +1726,7 @@ | |
47 | reset_times(ofname, ifstat); | |
48 | #endif | |
49 | /* Copy the protection modes */ | |
50 | - if (chmod(ofname, ifstat->st_mode & 07777)) { | |
51 | + if (fchmod(ofd, ifstat->st_mode & 07777)) { | |
52 | int e = errno; | |
53 | WARN((stderr, "%s: ", progname)); | |
54 | if (!quiet) { | |
55 | @@ -1734,7 +1735,7 @@ | |
56 | } | |
57 | } | |
58 | #ifndef NO_CHOWN | |
59 | - chown(ofname, ifstat->st_uid, ifstat->st_gid); /* Copy ownership */ | |
60 | + fchown(ofd, ifstat->st_uid, ifstat->st_gid); /* Copy ownership */ | |
61 | #endif | |
62 | remove_ofname = 0; | |
63 | /* It's now safe to remove the input file: */ |