1 Submitted By: Matthew Burgess (matthew at linuxfromscratch dot org)
2 Origin: http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.1.diff.gz
4 Initial package version: 1.3.5
5 Description: Fix two security vulnerabilities in gzip: A path traversal
6 bug when using the -N option (CAN-2005-1228) and a race condition in the
7 file permission restore code (CAN-2005-0998).
9 diff -Naur gzip-1.3.5.orig/gzip.c gzip-1.3.5/gzip.c
10 --- gzip-1.3.5.orig/gzip.c 2002-09-28 07:38:43.000000000 +0000
11 +++ gzip-1.3.5/gzip.c 2005-05-12 19:15:14.796031360 +0000
16 - if (!to_stdout && close(ofd)) {
19 + /* Copy modes, times, ownership, and remove the input file */
25 if (!to_stdout) xunlink (ofname);
28 fprintf(stderr, "\n");
30 - /* Copy modes, times, ownership, and remove the input file */
36 /* ========================================================================
38 error("corrupted input -- file name too large");
41 + char *base2 = base_name (base);
42 + strcpy(base, base2);
43 /* If necessary, adapt the name to local OS conventions: */
45 MAKE_LEGAL_NAME(base);
47 reset_times(ofname, ifstat);
49 /* Copy the protection modes */
50 - if (chmod(ofname, ifstat->st_mode & 07777)) {
51 + if (fchmod(ofd, ifstat->st_mode & 07777)) {
53 WARN((stderr, "%s: ", progname));
59 - chown(ofname, ifstat->st_uid, ifstat->st_gid); /* Copy ownership */
60 + fchown(ofd, ifstat->st_uid, ifstat->st_gid); /* Copy ownership */
63 /* It's now safe to remove the input file: */