src/patches/gzip-1.3.5-security_fixes-1.patch

   1 Submitted By: Matthew Burgess (matthew at linuxfromscratch dot org)
   2 Origin: http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.1.diff.gz
   3 Date: 2005-05-12
   4 Initial package version: 1.3.5
   5 Description: Fix two security vulnerabilities in gzip: A path traversal
   6 bug when using the -N option (CAN-2005-1228) and a race condition in the
   7 file permission restore code (CAN-2005-0998).
   8
   9 diff -Naur gzip-1.3.5.orig/gzip.c gzip-1.3.5/gzip.c
  10 --- gzip-1.3.5.orig/gzip.c      2002-09-28 07:38:43.000000000 +0000
  11 +++ gzip-1.3.5/gzip.c   2005-05-12 19:15:14.796031360 +0000
  12 @@ -875,8 +875,11 @@
  13      }
  14
  15      close(ifd);
  16 -    if (!to_stdout && close(ofd)) {
  17 -       write_error();
  18 +    if (!to_stdout) {
  19 +         /* Copy modes, times, ownership, and remove the input file */
  20 +         copy_stat(&istat);
  21 +         if (close(ofd))
  22 +            write_error();
  23      }
  24      if (method == -1) {
  25         if (!to_stdout) xunlink (ofname);
  26 @@ -896,10 +899,6 @@
  27         }
  28         fprintf(stderr, "\n");
  29      }
  30 -    /* Copy modes, times, ownership, and remove the input file */
  31 -    if (!to_stdout) {
  32 -       copy_stat(&istat);
  33 -    }
  34  }
  35
  36  /* ========================================================================
  37 @@ -1324,6 +1323,8 @@
  38                         error("corrupted input -- file name too large");
  39                     }
  40                 }
  41 +               char *base2 = base_name (base);
  42 +               strcpy(base, base2);
  43                  /* If necessary, adapt the name to local OS conventions: */
  44                  if (!list) {
  45                     MAKE_LEGAL_NAME(base);
  46 @@ -1725,7 +1726,7 @@
  47      reset_times(ofname, ifstat);
  48  #endif
  49      /* Copy the protection modes */
  50 -    if (chmod(ofname, ifstat->st_mode & 07777)) {
  51 +    if (fchmod(ofd, ifstat->st_mode & 07777)) {
  52         int e = errno;
  53         WARN((stderr, "%s: ", progname));
  54         if (!quiet) {
  55 @@ -1734,7 +1735,7 @@
  56         }
  57      }
  58  #ifndef NO_CHOWN
  59 -    chown(ofname, ifstat->st_uid, ifstat->st_gid);  /* Copy ownership */
  60 +    fchown(ofd, ifstat->st_uid, ifstat->st_gid);  /* Copy ownership */
  61  #endif
  62      remove_ofname = 0;
  63      /* It's now safe to remove the input file: */