Bug#311887: marked as done (MAJOR gzip security issue!)

Debian Bug Tracking System Sun, 05 Jun 2005 05:53:11 -0700

Your message dated Sun, 05 Jun 2005 06:40:25 -0600
with message-id <[EMAIL PROTECTED]>
and subject line Bug#311887: MAJOR gzip security issue!
has caused the attached Bug report to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 4 Jun 2005 02:44:36 +0000
>From [EMAIL PROTECTED] Fri Jun 03 19:44:36 2005
Return-path: <[EMAIL PROTECTED]>
Received: from postino.bellamax.com (levitt.bellamax.com) [216.136.208.228] 
        by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
        id 1DeOeK-0002QB-00; Fri, 03 Jun 2005 19:44:36 -0700
Received: from [216.136.208.235] (helo=intranet.sfoffice.bellamax.com)
        by levitt.bellamax.com with esmtp (Exim 3.35 #1 (Debian))
        id 1DeOdq-0005MB-00
        for <[EMAIL PROTECTED]>; Fri, 03 Jun 2005 19:44:06 -0700
Received: from [172.24.2.99] ([172.24.2.99]) by intranet.sfoffice.bellamax.com 
with Microsoft SMTPSVC(5.0.2195.6713);
         Fri, 3 Jun 2005 19:43:36 -0700
Message-ID: <[EMAIL PROTECTED]>
Date: Fri, 03 Jun 2005 19:43:40 -0700
From: Ron Dorn <[EMAIL PROTECTED]>
User-Agent: Mozilla Thunderbird 1.0.2 (Macintosh/20050317)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: [EMAIL PROTECTED]
Subject: MAJOR gzip security issue!
X-Enigmail-Version: 0.89.5.0
X-Enigmail-Supports: pgp-inline, pgp-mime
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 04 Jun 2005 02:43:36.0552 (UTC) 
FILETIME=[34DEF680:01C568AF]
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
        autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Package:gzip



Something does not make sense here. There appears to be a MAJOR gzip 
security issue that seems to violate some basic tenants of Unix security.
I have reproduced this on both the latest patched Woody, and the latest 
Sarge.

Here is the issue.

Create a test file with the following permissions in a directory your 
non-privileged account has write access to.

-rw-r--r--  1 root root 8 Jun  3 18:31 testing.txt

Be logged into your unprivileged account.

gzip the testing.txt file.

It now looks like this

-rw-r--r--  1 rdorn rdorn 40 Jun  3 18:31 testing.txt.gz

The fact that I can gzip this file is bad enough, it deletes the 
original....but wait it gets worse.

now unzip this file

-rw-r--r--  1 rdorn rdorn 8 Jun  3 18:31 testing.txt

I now have write access to this file. This appears to only be the case 
within directories that I have write access to.


Why does gzip have the ability to overwrite the Unix permissions by 
changing ownership. I guess it would be worse if this would work in 
places like /etc or /bin ... but still.


---------------------------------------
Received: (at 311887-done) by bugs.debian.org; 5 Jun 2005 12:40:47 +0000
>From [EMAIL PROTECTED] Sun Jun 05 05:40:47 2005
Return-path: <[EMAIL PROTECTED]>
Received: from mailhub.hp.com [192.151.27.10] 
        by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
        id 1DeuQp-0003pm-00; Sun, 05 Jun 2005 05:40:47 -0700
Received: from tc1100.gag.com (tc1100.gag.com [192.133.104.56])
        by mailhub.hp.com (Postfix) with ESMTP
        id 5FD812710F; Sun,  5 Jun 2005 08:40:16 -0400 (EDT)
Subject: Re: Bug#311887: MAJOR gzip security issue!
From: Bdale Garbee <[EMAIL PROTECTED]>
To: Ron Dorn <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED]
In-Reply-To: <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>
         <[EMAIL PROTECTED]>  <[EMAIL PROTECTED]>
Content-Type: text/plain
Date: Sun, 05 Jun 2005 06:40:25 -0600
Message-Id: <[EMAIL PROTECTED]>
Mime-Version: 1.0
X-Mailer: Evolution 2.2.2 
Content-Transfer-Encoding: 7bit
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
        autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

On Sat, 2005-06-04 at 12:35 -0700, Ron Dorn wrote:
> I've done a bit more testing with other utilities, and you are right.
> 
> I did not realize that directory permissions would be able to allow
> you to do things that intuitively seem to override the file
> permissions.
> 
> Thank you for the quick replies.

No worries!  Good thing to understand.

Bdale



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#311887: marked as done (MAJOR gzip security issue!)

Reply via email to