Bug#775306: pxz: race condition in setting permissions on output file
Hi Moritz, On Montag, 26. Januar 2015, Moritz Mühlenhoff wrote: Patch attached, can you take care of an upload and unblock with the release team? thanks for the patch, can do! cheers, Holger signature.asc Description: This is a digitally signed message part.
Bug#775306: pxz: race condition in setting permissions on output file
On Wed, Jan 14, 2015 at 05:25:02AM +0100, Holger Levsen wrote: control: severity -1 important Hi Alexander, On Dienstag, 13. Januar 2015, Alexander Cherepanov wrote: pxz sets the mode of an output file to be the same as the one of an input file but does it only after compression is over. This leaves the output file with the wrong mode during all the time of the compression process. thanks for the bug report! Could you maybe come up with a patch? Patch attached, can you take care of an upload and unblock with the release team? Cheers, Moritz --- pxz-4.999.99~beta3+git659fc9b.orig/pxz.c +++ pxz-4.999.99~beta3+git659fc9b/pxz.c @@ -285,2 +285,2 @@ int main( int argc, char **argv ) { } fo = stdout; + umask(077); if ( std_in ) { fi = stdin; } else {
Bug#775306: pxz: race condition in setting permissions on output file
Control: retitle -1 pxz: CVE-2015-1200: race condition in setting permissions Hi This has been assigned CVE-2015-1200 by MITRE. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#775306: pxz: race condition in setting permissions on output file
control: severity -1 important Hi Alexander, On Dienstag, 13. Januar 2015, Alexander Cherepanov wrote: pxz sets the mode of an output file to be the same as the one of an input file but does it only after compression is over. This leaves the output file with the wrong mode during all the time of the compression process. thanks for the bug report! Could you maybe come up with a patch? cheers, Holger signature.asc Description: This is a digitally signed message part.
Bug#775306: pxz: race condition in setting permissions on output file
Package: pxz Version: 4.999.99~beta3+git659fc9b-2 Tags: security pxz sets the mode of an output file to be the same as the one of an input file but does it only after compression is over. This leaves the output file with the wrong mode during all the time of the compression process. Illustration: $ truncate -s 1G foo $ chmod 600 foo $ pxz foo [1] 9240 $ ls -l foo.xz -rw-r--r-- 1 user user 0 Jan 14 00:33 foo.xz $ wait % [1]+ Donepxz foo $ ls -l foo.xz -rw--- 1 user user 161976 Jan 14 00:33 foo.xz The issue is similar to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0296 . -- Alexander Cherepanov -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org