Author: matthew Date: 2005-05-12 13:25:00 -0600 (Thu, 12 May 2005) New Revision: 949
Added: trunk/gzip/gzip-1.3.5-security_fixes-1.patch Log: Add security patch for gzip Added: trunk/gzip/gzip-1.3.5-security_fixes-1.patch =================================================================== --- trunk/gzip/gzip-1.3.5-security_fixes-1.patch 2005-05-09 23:53:57 UTC (rev 948) +++ trunk/gzip/gzip-1.3.5-security_fixes-1.patch 2005-05-12 19:25:00 UTC (rev 949) @@ -0,0 +1,63 @@ +Submitted By: Matthew Burgess (matthew at linuxfromscratch dot org) +Origin: http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.1.diff.gz +Date: 2005-05-12 +Initial package version: 1.3.5 +Description: Fix two security vulnerabilities in gzip: A path traversal +bug when using the -N option (CAN-2005-1228) and a race condition in the +file permission restore code (CAN-2005-0998). + +diff -Naur gzip-1.3.5.orig/gzip.c gzip-1.3.5/gzip.c +--- gzip-1.3.5.orig/gzip.c 2002-09-28 07:38:43.000000000 +0000 ++++ gzip-1.3.5/gzip.c 2005-05-12 19:15:14.796031360 +0000 +@@ -875,8 +875,11 @@ + } + + close(ifd); +- if (!to_stdout && close(ofd)) { +- write_error(); ++ if (!to_stdout) { ++ /* Copy modes, times, ownership, and remove the input file */ ++ copy_stat(&istat); ++ if (close(ofd)) ++ write_error(); + } + if (method == -1) { + if (!to_stdout) xunlink (ofname); +@@ -896,10 +899,6 @@ + } + fprintf(stderr, "\n"); + } +- /* Copy modes, times, ownership, and remove the input file */ +- if (!to_stdout) { +- copy_stat(&istat); +- } + } + + /* ======================================================================== +@@ -1324,6 +1323,8 @@ + error("corrupted input -- file name too large"); + } + } ++ char *base2 = base_name (base); ++ strcpy(base, base2); + /* If necessary, adapt the name to local OS conventions: */ + if (!list) { + MAKE_LEGAL_NAME(base); +@@ -1725,7 +1726,7 @@ + reset_times(ofname, ifstat); + #endif + /* Copy the protection modes */ +- if (chmod(ofname, ifstat->st_mode & 07777)) { ++ if (fchmod(ofd, ifstat->st_mode & 07777)) { + int e = errno; + WARN((stderr, "%s: ", progname)); + if (!quiet) { +@@ -1734,7 +1735,7 @@ + } + } + #ifndef NO_CHOWN +- chown(ofname, ifstat->st_uid, ifstat->st_gid); /* Copy ownership */ ++ fchown(ofd, ifstat->st_uid, ifstat->st_gid); /* Copy ownership */ + #endif + remove_ofname = 0; + /* It's now safe to remove the input file: */ -- http://linuxfromscratch.org/mailman/listinfo/patches FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
