[people/pmueller/ipfire-2.x.git] / src / patches / gzip-1.3.5-security_fixes-1.patch

Submitted By: Matthew Burgess (matthew at linuxfromscratch dot org)
Origin: http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.1.diff.gz
Date: 2005-05-12
Initial package version: 1.3.5
Description: Fix two security vulnerabilities in gzip: A path traversal
bug when using the -N option (CAN-2005-1228) and a race condition in the
file permission restore code (CAN-2005-0998).

diff -Naur gzip-1.3.5.orig/gzip.c gzip-1.3.5/gzip.c
--- gzip-1.3.5.orig/gzip.c	2002-09-28 07:38:43.000000000 +0000
+++ gzip-1.3.5/gzip.c	2005-05-12 19:15:14.796031360 +0000
@@ -875,8 +875,11 @@
     }
 
     close(ifd);
-    if (!to_stdout && close(ofd)) {
-	write_error();
+    if (!to_stdout) {
+         /* Copy modes, times, ownership, and remove the input file */
+         copy_stat(&istat);
+         if (close(ofd))
+            write_error();
     }
     if (method == -1) {
 	if (!to_stdout) xunlink (ofname);
@@ -896,10 +899,6 @@
 	}
 	fprintf(stderr, "\n");
     }
-    /* Copy modes, times, ownership, and remove the input file */
-    if (!to_stdout) {
-	copy_stat(&istat);
-    }
 }
 
 /* ========================================================================
@@ -1324,6 +1323,8 @@
 			error("corrupted input -- file name too large");
 		    }
 		}
+		char *base2 = base_name (base);
+		strcpy(base, base2);
                 /* If necessary, adapt the name to local OS conventions: */
                 if (!list) {
                    MAKE_LEGAL_NAME(base);
@@ -1725,7 +1726,7 @@
     reset_times(ofname, ifstat);
 #endif
     /* Copy the protection modes */
-    if (chmod(ofname, ifstat->st_mode & 07777)) {
+    if (fchmod(ofd, ifstat->st_mode & 07777)) {
 	int e = errno;
 	WARN((stderr, "%s: ", progname));
 	if (!quiet) {
@@ -1734,7 +1735,7 @@
 	}
     }
 #ifndef NO_CHOWN
-    chown(ofname, ifstat->st_uid, ifstat->st_gid);  /* Copy ownership */
+    fchown(ofd, ifstat->st_uid, ifstat->st_gid);  /* Copy ownership */
 #endif
     remove_ofname = 0;
     /* It's now safe to remove the input file: */
Commit	Line	Data
dd714b8a MT	1	Submitted By: Matthew Burgess (matthew at linuxfromscratch dot org)
	2	Origin: http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.1.diff.gz
	3	Date: 2005-05-12
	4	Initial package version: 1.3.5
	5	Description: Fix two security vulnerabilities in gzip: A path traversal
	6	bug when using the -N option (CAN-2005-1228) and a race condition in the
	7	file permission restore code (CAN-2005-0998).
	8
	9	diff -Naur gzip-1.3.5.orig/gzip.c gzip-1.3.5/gzip.c
	10	--- gzip-1.3.5.orig/gzip.c 2002-09-28 07:38:43.000000000 +0000
	11	+++ gzip-1.3.5/gzip.c 2005-05-12 19:15:14.796031360 +0000
	12	@@ -875,8 +875,11 @@
	13	}
	14
	15	close(ifd);
	16	- if (!to_stdout && close(ofd)) {
	17	- write_error();
	18	+ if (!to_stdout) {
	19	+ /* Copy modes, times, ownership, and remove the input file */
	20	+ copy_stat(&istat);
	21	+ if (close(ofd))
	22	+ write_error();
	23	}
	24	if (method == -1) {
	25	if (!to_stdout) xunlink (ofname);
	26	@@ -896,10 +899,6 @@
	27	}
	28	fprintf(stderr, "\n");
	29	}
	30	- /* Copy modes, times, ownership, and remove the input file */
	31	- if (!to_stdout) {
	32	- copy_stat(&istat);
	33	- }
	34	}
	35
	36	/* ========================================================================
	37	@@ -1324,6 +1323,8 @@
	38	error("corrupted input -- file name too large");
	39	}
	40	}
	41	+ char *base2 = base_name (base);
	42	+ strcpy(base, base2);
	43	/* If necessary, adapt the name to local OS conventions: */
	44	if (!list) {
	45	MAKE_LEGAL_NAME(base);
	46	@@ -1725,7 +1726,7 @@
	47	reset_times(ofname, ifstat);
	48	#endif
	49	/* Copy the protection modes */
	50	- if (chmod(ofname, ifstat->st_mode & 07777)) {
	51	+ if (fchmod(ofd, ifstat->st_mode & 07777)) {
	52	int e = errno;
	53	WARN((stderr, "%s: ", progname));
	54	if (!quiet) {
	55	@@ -1734,7 +1735,7 @@
	56	}
	57	}
	58	#ifndef NO_CHOWN
	59	- chown(ofname, ifstat->st_uid, ifstat->st_gid); /* Copy ownership */
	60	+ fchown(ofd, ifstat->st_uid, ifstat->st_gid); /* Copy ownership */
	61	#endif
	62	remove_ofname = 0;
	63	/* It's now safe to remove the input file: */