Debian Bug report logs - #193375
znew: Insecure /tmp usage

version graph

Package: gzip; Maintainer for gzip is Bdale Garbee <bdale@gag.com>; Source for gzip is src:gzip.

Reported by: Paul Szabo <psz@maths.usyd.edu.au>

Date: Thu, 15 May 2003 03:03:02 UTC

Severity: grave

Tags: patch, security

Found in version 1.3.2-3

Fixed in version gzip/1.3.5-6

Done: Bdale Garbee <bdale@gag.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>, gzip@packages.qa.debian.org:
Bug#193375; Package gzip. Full text and rfc822 format available.

Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>:
New Bug report received and forwarded. Copy sent to Bdale Garbee <bdale@gag.com>, gzip@packages.qa.debian.org. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Paul Szabo <psz@maths.usyd.edu.au>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: znew: Insecure /tmp usage
Date: Thu, 15 May 2003 12:49:07 +1000
Package: gzip
Version: 1.3.2-3
Severity: grave
File: /bin/znew
Tags: patch security
Justification: user security hole

znew thinks it is safe with "set -C", but if attacker pre-creates:
echo nasty > /tmp/zfoo.$$.1
ln -s /etc/ATTACK /tmp/zfoo.$$.2
then nasty gets copied into ATTACK with cpmod, or maybe ATTACK gets
created with touch. Need to test return status e.g. with:

--- /bin/znew   Thu Nov 15 17:06:11 2001
+++ ./znew      Thu May 15 11:10:53 2003
@@ -15,8 +15,8 @@
 warn="(does not preserve modes and timestamp)"
 tmp=/tmp/zfoo.$$
 set -C
-echo hi > $tmp.1
-echo hi > $tmp.2
+echo hi > $tmp.1 || exit 1
+echo hi > $tmp.2 || exit 1
 if test -z "`(${CPMOD-cpmod} $tmp.1 $tmp.2) 2>&1`"; then
   cpmod=${CPMOD-cpmod}
   warn=""

How to pre-create suitable files/links, how to entice users (preferably
root) to run znew, and how to escalate this into something damaging are
"left as an exercise for the reader".

Cheers,

Paul Szabo - psz@maths.usyd.edu.au  http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics  University of Sydney   2006  Australia


-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux pisa.maths.usyd.edu.au 2.4.19 #1 SMP Wed Nov 13 10:02:38 EST 2002 i686
Locale: LANG=C, LC_CTYPE=C

Versions of packages gzip depends on:
ii  debianutils                   1.16       Miscellaneous utilities specific t
ii  libc6                         2.2.5-11.5 GNU C Library: Shared libraries an




Reply sent to Bdale Garbee <bdale@gag.com>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Paul Szabo <psz@maths.usyd.edu.au>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #10 received at 193375-close@bugs.debian.org (full text, mbox):

From: Bdale Garbee <bdale@gag.com>
To: 193375-close@bugs.debian.org
Subject: Bug#193375: fixed in gzip 1.3.5-6
Date: Sat, 07 Jun 2003 11:32:39 -0400
We believe that the bug you reported is fixed in the latest version of
gzip, which is due to be installed in the Debian FTP archive:

gzip_1.3.5-6.diff.gz
  to pool/main/g/gzip/gzip_1.3.5-6.diff.gz
gzip_1.3.5-6.dsc
  to pool/main/g/gzip/gzip_1.3.5-6.dsc
gzip_1.3.5-6_ia64.deb
  to pool/main/g/gzip/gzip_1.3.5-6_ia64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 193375@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bdale Garbee <bdale@gag.com> (supplier of updated gzip package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat,  7 Jun 2003 09:05:11 -0600
Source: gzip
Binary: gzip
Architecture: source ia64
Version: 1.3.5-6
Distribution: unstable
Urgency: medium
Maintainer: Bdale Garbee <bdale@gag.com>
Changed-By: Bdale Garbee <bdale@gag.com>
Description: 
 gzip       - The GNU compression utility
Closes: 193375
Changes: 
 gzip (1.3.5-6) unstable; urgency=medium
 .
   * patch for insecure temp file usage in znew, closes: #193375
Files: 
 a538c91b5fee62950733e44edf2965e5 585 base required gzip_1.3.5-6.dsc
 bc61bd605f03ddd40fdb7dfe7545e5ca 10007 base required gzip_1.3.5-6.diff.gz
 5528ab93318bc843530399173358d890 89234 base required gzip_1.3.5-6_ia64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE+4gLZZKfAp/LPAagRAnk5AJ4zKhVHtwOkNrU3EA0R5JGYIAxvXwCeOzg+
DSCw831I63RuhkGEsC4k/XU=
=y+DW
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#193375; Package gzip. Full text and rfc822 format available.

Acknowledgement sent to psz@maths.usyd.edu.au (Paul Szabo):
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. Full text and rfc822 format available.

Message #15 received at 193375@bugs.debian.org (full text, mbox):

From: psz@maths.usyd.edu.au (Paul Szabo)
To: 193375@bugs.debian.org, debian-security-announce@lists.debian.org, mdz@debian.org, security@debian.org
Subject: Re: [SECURITY] [DSA-308-1] New gzip packages fix insecure temporary file creation
Date: Sun, 8 Jun 2003 21:37:56 +1000 (EST)
Matt Zimmerman <mdz@debian.org> wrote:

> Debian Security Advisory DSA 308-1 ...
> Paul Szabo discovered that znew ...

Thanks for fixing znew.

> The gzexe script has a similar vulnerability ...

Sorry, no: gzexe did not have a similar problem so could not be fixed
(not between the "original" version 1.3.2-3 and updated 1.3.2-3woody1).
The change in gzexe was to replace use of /tmp/gztmp$$ by the output of
'tempfile -p gztmp -d /tmp'; but by then we had 'set -C' and 'umask 77'
(and the return status of '... > /tmp/gztmp$$' was checked): the change
does not enhance security. (I note that the return status of tempfile is
not checked in the new version; but it is unlikely to fail.) Securitywise,
the new version is equivalent to the old one.

If anything, gzexe does "funny" things to objects in the current directory
(gzexe is unsafe to use when 'cd'-ed into /tmp or similar); not a likely
scenario so does not need fixing. Do you want me to post patches anyway,
for the sake of paranoid security freaks?

Cheers,

Paul Szabo - psz@maths.usyd.edu.au  http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics  University of Sydney   2006  Australia



Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#193375; Package gzip. Full text and rfc822 format available.

Acknowledgement sent to Matt Zimmerman <mdz@debian.org>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. Full text and rfc822 format available.

Message #20 received at 193375@bugs.debian.org (full text, mbox):

From: Matt Zimmerman <mdz@debian.org>
To: Paul Szabo <psz@maths.usyd.edu.au>
Cc: 193375@bugs.debian.org, security@debian.org
Subject: Re: [SECURITY] [DSA-308-1] New gzip packages fix insecure temporary file creation
Date: Sun, 8 Jun 2003 12:16:29 -0400
On Sun, Jun 08, 2003 at 09:37:56PM +1000, Paul Szabo wrote:

> Matt Zimmerman <mdz@debian.org> wrote:
> > The gzexe script has a similar vulnerability ...
> 
> Sorry, no: gzexe did not have a similar problem so could not be fixed (not
> between the "original" version 1.3.2-3 and updated 1.3.2-3woody1).  The
> change in gzexe was to replace use of /tmp/gztmp$$ by the output of
> 'tempfile -p gztmp -d /tmp'; but by then we had 'set -C' and 'umask 77'
> (and the return status of '... > /tmp/gztmp$$' was checked): the change
> does not enhance security. (I note that the return status of tempfile is
> not checked in the new version; but it is unlikely to fail.) Securitywise,
> the new version is equivalent to the old one.

Ah, I see you are correct.  The code looked so similar to what was in the
unpatched potato version that I overlooked the "set -C" precaution.  At any
rate, it is better to use tempfile, since it is far more difficult to DoS
than /tmp/gztmp$$.  This could be significant if important system binaries
(such as those which might be used to clean up such a DoS attempt) were
compressed with gzexe.

> If anything, gzexe does "funny" things to objects in the current directory
> (gzexe is unsafe to use when 'cd'-ed into /tmp or similar); not a likely
> scenario so does not need fixing. Do you want me to post patches anyway,
> for the sake of paranoid security freaks?

Yes, I noticed this as well, but since gzexe only really makes sense to use
on executables in $PATH, if those directories were writable, this would be
problematic anyway.  Because of this, I did not think it was worth fixing
for stable, but I would encourage you to submit patches for the unstable
version (and upstream) if you are interested.

-- 
 - mdz



Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#193375; Package gzip. Full text and rfc822 format available.

Acknowledgement sent to psz@maths.usyd.edu.au (Paul Szabo):
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. Full text and rfc822 format available.

Message #25 received at 193375@bugs.debian.org (full text, mbox):

From: psz@maths.usyd.edu.au (Paul Szabo)
To: mdz@debian.org
Cc: 193375@bugs.debian.org, security@debian.org
Subject: Re: [SECURITY] [DSA-308-1] New gzip packages fix insecure temporary file creation
Date: Thu, 12 Jun 2003 07:37:38 +1000 (EST)
Matt Zimmerman <mdz@debian.org> wrote on Sun, 8 Jun 2003:

> ... I would encourage you to submit patches [to gzexe] for the unstable
> version (and upstream) if you are interested.

My version below (full file: too many changes for diff to be useful).

Should I submit a new bug report against the gzip package, or is this
message sufficient? I will also send this upstream to support@gzip.org .

Cheers,

Paul Szabo - psz@maths.usyd.edu.au  http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics  University of Sydney   2006  Australia


---

Proposed new version /bin/gzexe :

#!/bin/sh
# gzexe: compressor for Unix executables.
# Use this only for binaries that you do not use frequently.
#
# The compressed version is a shell script which decompresses itself after
# skipping $skip lines of shell commands.  We try invoking the compressed
# executable with the original name (for programs looking at their name).
# We also try to retain the original file permissions on the compressed file.
# For safety reasons, gzexe will not create setuid or setgid shell scripts.

# WARNING: the first line of this file must be either : or #!/bin/sh
# The : is required for some old versions of csh.
# On Ultrix, /bin/sh is too buggy, change the first line to: #!/bin/sh5

# We use several temporary files: makes sense to create a safe temporary
# directory and put them all there. Using one ensures we can invoke the
# executable with original name, without "set -C", umask or ln.
# Use mktemp or tempfile on systems where available.
# Instead of figuring out where tail is, set a sensible (simple) PATH,
# and ensure all utilities we need are available within. (Do not add
# from current PATH as that would be info disclosure.)
# (Can we trust tail to cope with long lines and binary data? Bah...)

zer0="`echo $0 | sed -e 's|^.*/||'`"

decomp=0
res=0
test "$zer0" = "ungzexe" && decomp=1
if test "x$1" = "x-d"; then
  decomp=1
  shift
fi

if test $# = 0; then
  echo "compress executables. original file foo is renamed to foo~"
  echo "usage: ${zer0} [-d] files..."
  echo "   -d  decompress the executables"
  exit 1
fi

IFS="${IFS:- 	}"; saveifs="$IFS"

utils='gzip tail chmod sed sleep rm mkdir'
utilsxtr='ls cat mv cp'
goodpath='/bin:/usr/bin'

# Check that all utils are found somewhere in goodpath (or PATH)
#needpath=''
IFS="${IFS} :"
for utl in $utils $utilsxtr; do
  need=1
# for dir in $goodpath $PATH; do
  for dir in $goodpath; do
    # Use absolute paths only (skip relative or empty)
    case "$dir" in /* ) ;; * ) continue;; esac
    if test -f "$dir/$utl"; then
      need=0
#     needpath="$needpath $dir"
      break
    fi
  done
  if test "$need" = 1; then
#   echo "${zer0}: Cannot find $utl in $goodpath or $PATH"
    echo "${zer0}: Cannot find $utl in $goodpath"
    exit 1
  fi
done
IFS="$saveifs"

## Add to goodpath if needed (from current PATH: info disclosure !!??)
#IFS="${IFS} :"
#for dir in $goodpath $PATH; do
#  # Use absolute paths only (skip relative or empty)
#  case "$dir" in /* ) ;; * ) continue;; esac
#  # Skip if have it already
#  case ":$goodpath:" in *":$dir:"* ) continue;; esac
#  # Skip unless needed
#  case " $needpath " in *" $dir "* ) ;; * ) continue;; esac
#  if test -z "$goodpath"; then
#    goodpath="$dir"
#  else
#    goodpath="$goodpath:$dir"
#  fi
#done
#IFS="$saveifs"

PATH="$goodpath"

tmpdir="`mktemp -d /tmp/gztmp.XXXXXXXXXX 2>/dev/null`" || tmpdir=''
if test -z "$tmpdir"; then
  tmpdir="`tempfile -p gztmp -d /tmp 2>/dev/null`" || tmpdir=''
  if test -z "$tmpdir"; then
    tmpdir=/tmp/gztmp$$
  fi
  rm -f $tmpdir; rm -rf $tmpdir
  mkdir -m 700 $tmpdir || exit 1
fi

trap "rm -rf $tmpdir; exit 1" 1 2 3 5 10 13 15

# Paranoia: sanity check $tmpdir
case "$tmpdir" in
 '' ) echo "${zer0}: Temporary directory name empty"; exit 1;;
 *[^/A-Za-z0-9_.-]* ) echo "${zer0}: Bad temporary directory name $tmpdir"; exit 1;;
esac
if test ! -d $tmpdir; then
  echo "${zer0}: Cannot make temporary directory $tmpdir"
  exit 1
fi
if test ! -w $tmpdir; then
  echo "${zer0}: Temporary directory $tmpdir not writable"
  exit 1
fi
case "`ls -ld $tmpdir`" in
 drwx------* ) ;;
 * )
  echo "${zer0}: Temporary directory $tmpdir has bad type/permissions"
  exit 1
 ;;
esac
if test -n "`ls -A $tmpdir`"; then
  echo "${zer0}: Temporary directory $tmpdir not empty"
  exit 1
fi

cpmod=""
echo hi > $tmpdir/zfoo1
echo hi > $tmpdir/zfoo2
if test -z "`(${CPMOD:-cpmod} $tmpdir/zfoo1 $tmpdir/zfoo2) 2>&1`"; then
  cpmod="${CPMOD:-cpmod}"
fi
rm -f $tmpdir/zfoo1 $tmpdir/zfoo2

tmpfil=$tmpdir/tmpfil

for i do
  case "$i" in
   '' ) echo "${zer0}: empty name (unchanged)"; continue;;
   *[^/A-Za-z0-9_.-]* ) echo "${zer0}: bad name $i (unchanged)"; continue;;
  esac
  x="`echo $i | sed -e 's|^.*/||'`"
  case "$x" in
   '' ) echo "${zer0}: $i has empty name, unchanged"; continue;;
   *[^A-Za-z0-9_.-]* ) echo "${zer0}: $i has bad name, unchanged"; continue;;
  esac
  case " $utils " in
   *" $x "* ) echo "${zer0}: $i would depend on itself, unchanged"; continue;;
  esac
  if test ! -f "$i" ; then
    echo "${zer0}: $i not a file, unchanged"
    continue
  fi
  case "`ls -ld $i`" in
   ???[sS]* ) echo "${zer0}: $i has setuid permission, unchanged"; continue;;
   ??????[sS]* ) echo "${zer0}: $i has setgid permission, unchanged"; continue;;
   '-'??x* ) ;;
   '-'* ) echo "${zer0}: $i is not executable, unchanged"; continue;;
   * ) echo "${zer0}: $i is not a file, unchanged"; continue;;
  esac
  rm -f $tmpfil
  if test -z "$cpmod"; then
    cp -p "$i" $tmpfil 2>/dev/null || cp "$i" $tmpfil
    if test -w $tmpfil 2>/dev/null; then
      writable=1
    else
      writable=0
      chmod u+w $tmpfil 2>/dev/null
    fi
  fi
  skipline="`sed -n -e 1d -e '/^skip=[0-9][0-9]*$/ p' -e 2q $i`"
  if test $decomp -eq 0; then
    # compression
    if test -n "$skipline"; then
      echo "${zer0}: $i is already gzexe'd, unchanged"
      continue
    fi
    {
      sed -e 1q $0
      echo 'skip=25'
      echo 'savepath="$PATH"'
      echo "PATH=$PATH"
      cat <<'EOF'
tmpd="`mktemp -d /tmp/gztmp.XXXXXXXXXX 2>/dev/null`" || tmpd=''
if test -z "$tmpd"; then
  tmpd="`tempfile -p gztmp -d /tmp 2>/dev/null`" || tmpd=''
  if test -z "$tmpd"; then
    tmpd=/tmp/gztmp$$
  fi
  rm -f $tmpd; rm -rf $tmpd
  mkdir -m 700 $tmpd || exit 1
fi
trap 'rm -rf $tmpd; exit $res' 0
tmpf="$tmpd/`echo $0 | sed -e 's|^.*/||'`"
if tail +$skip $0 | gzip -cd > "$tmpf"; then
  chmod 700 "$tmpf"
  ( sleep 5; rm -rf $tmpd; ) 2>/dev/null &
  PATH="$savepath" "$tmpf" ${1+"$@"}; res=$?
else
  echo "Cannot decompress $0"; res=1
fi;
rm -rf $tmpd
exit $res
EOF
    } > $tmpfil
    gzip -cv9 "$i" >> $tmpfil || {
      echo "${zer0}: compression not possible for $i, file unchanged."
      res=1
      continue
    }
  else
    # decompression
    # Instead of current skip value, should use that of last older
    # version that did not have skip line
    skip=25
    if test -n "$skipline"; then
      eval "$skipline"
    fi
    tail +$skip "$i" | gzip -cd > $tmpfil || {
      echo "${zer0}: $i probably not in gzexe format, file unchanged."
      res=1
      continue
    }
  fi
  rm -f "$i~"
  mv "$i" "$i~" || {
    echo "${zer0}: cannot backup $i as $i~"
    res=1
    continue
  }
  mv $tmpfil "$i" || cp -p $tmpfil "$i" 2>/dev/null || cp $tmpfil "$i" || {
    echo "${zer0}: cannot create $i"
    res=1
    continue
  }
  if test -n "$cpmod"; then
    "$cpmod" "$i~" "$i" 2>/dev/null
  elif test $writable -eq 0; then
    chmod u-w "$i" 2>/dev/null
  fi
done
rm -rf $tmpdir
exit $res



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#193375; Package gzip. Full text and rfc822 format available.

Acknowledgement sent to Bdale Garbee <bdale@gag.com>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #30 received at 193375@bugs.debian.org (full text, mbox):

From: Bdale Garbee <bdale@gag.com>
To: psz@maths.usyd.edu.au (Paul Szabo)
Cc: 193375@bugs.debian.org
Subject: Re: Bug#193375: [SECURITY] [DSA-308-1] New gzip packages fix insecure temporary file creation
Date: Thu, 12 Jun 2003 08:35:32 -0600
psz@maths.usyd.edu.au (Paul Szabo) writes:

> Should I submit a new bug report against the gzip package, or is this
> message sufficient? I will also send this upstream to support@gzip.org .

Please submit a bug, since I am traveling and won't be able to update the
unstable version today... but don't want to forget about it.

Bdale




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 15:23:48 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.