aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSimon L. B. Nielsen <simon@FreeBSD.org>2005-06-08 21:31:16 +0000
committerSimon L. B. Nielsen <simon@FreeBSD.org>2005-06-08 21:31:16 +0000
commit317ea1e1e0ffa8b5310d43ff4958e6d912af80c8 (patch)
tree62abd0d5037e30af417dfa6b5391c38583b249d5
parent0c180226e75eaf7f4c7091ff51ac5808e44c9843 (diff)
downloadsrc-317ea1e1e0ffa8b5310d43ff4958e6d912af80c8.tar.gz
src-317ea1e1e0ffa8b5310d43ff4958e6d912af80c8.zip
Correct directory traversal and race condition vulnerabilities in gzip.
Security: FreeBSD-SA-05:11.gzip Security: CAN-2005-0988, CAN-2005-1228 Obtained from: Steve Grubb via RedHat, Debian Approved by: so (nectar)
Notes
Notes: svn path=/releng/4.11/; revision=147148
-rw-r--r--UPDATING3
-rw-r--r--gnu/usr.bin/gzip/gzip.c18
-rw-r--r--sys/conf/newvers.sh2
3 files changed, 14 insertions, 9 deletions
diff --git a/UPDATING b/UPDATING
index 3ae1e8dc322c..6d39802f3373 100644
--- a/UPDATING
+++ b/UPDATING
@@ -17,6 +17,9 @@ minimal number of processes, if possible, for that patch. For those
updates that don't have an advisory, or to be safe, you can do a full
build and install as described in the COMMON ITEMS section.
+20050608: p10 FreeBSD-SA-05:11.gzip
+ Correct directory traversal and race condition vulnerabilities in gzip.
+
20050513: p9 FreeBSD-SA-05:09.htt
Add a knob for disabling/enabling HTT. Default off due to information
disclosure on multi-user systems.
diff --git a/gnu/usr.bin/gzip/gzip.c b/gnu/usr.bin/gzip/gzip.c
index b59b4d1a7a4c..e38353eab087 100644
--- a/gnu/usr.bin/gzip/gzip.c
+++ b/gnu/usr.bin/gzip/gzip.c
@@ -830,8 +830,11 @@ local void treat_file(iname)
}
close(ifd);
- if (!to_stdout && close(ofd)) {
- write_error();
+ if (!to_stdout) {
+ /* Copy modes, times, ownership, and remove the input file */
+ copy_stat(&istat);
+ if (close(ofd))
+ write_error();
}
if (method == -1) {
if (!to_stdout) unlink (ofname);
@@ -851,10 +854,6 @@ local void treat_file(iname)
}
fprintf(stderr, "\n");
}
- /* Copy modes, times, ownership, and remove the input file */
- if (!to_stdout) {
- copy_stat(&istat);
- }
}
/* ========================================================================
@@ -1257,6 +1256,7 @@ local int get_method(in)
/* Copy the base name. Keep a directory prefix intact. */
char *p = basename(ofname);
char *base = p;
+ char *base2;
for (;;) {
*p = (char)get_char();
if (*p++ == '\0') break;
@@ -1264,6 +1264,8 @@ local int get_method(in)
error("corrupted input -- file name too large");
}
}
+ base2 = basename (base);
+ strcpy(base, base2);
/* If necessary, adapt the name to local OS conventions: */
if (!list) {
MAKE_LEGAL_NAME(base);
@@ -1636,12 +1638,12 @@ local void copy_stat(ifstat)
reset_times(ofname, ifstat);
#endif
/* Copy the protection modes */
- if (chmod(ofname, ifstat->st_mode & 07777)) {
+ if (fchmod(ofd, ifstat->st_mode & 07777)) {
WARN((stderr, "%s: ", progname));
if (!quiet) perror(ofname);
}
#ifndef NO_CHOWN
- chown(ofname, ifstat->st_uid, ifstat->st_gid); /* Copy ownership */
+ (void) fchown(ofd, ifstat->st_uid, ifstat->st_gid); /* Copy ownership */
#endif
remove_ofname = 0;
/* It's now safe to remove the input file: */
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index 7f7298cac7e4..b7d5c359e48c 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -36,7 +36,7 @@
TYPE="FreeBSD"
REVISION="4.11"
-BRANCH="RELEASE-p9"
+BRANCH="RELEASE-p10"
RELEASE="${REVISION}-${BRANCH}"
VERSION="${TYPE} ${RELEASE}"