Debian Bug report logs - #303300
file permissions modification race (CAN-2005-0953)

version graph

Package: bzip2; Maintainer for bzip2 is Anibal Monsalve Salazar <anibal@debian.org>; Source for bzip2 is src:bzip2.

Reported by: Joey Hess <joeyh@debian.org>

Date: Tue, 5 Apr 2005 22:03:05 UTC

Owned by: Helge Kreutzmann <kreutzm@itp.uni-hannover.de>

Severity: serious

Tags: fixed, security, woody

Found in version 1.0.2-5

Fixed in versions bzip2/1.0.2-6, bzip2/1.0.2-1.woody2

Done: Anibal Monsalve Salazar <anibal@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>:
Bug#303300; Package bzip2. Full text and rfc822 format available.

Acknowledgement sent to Joey Hess <joeyh@debian.org>:
New Bug report received and forwarded. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Joey Hess <joeyh@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: file permissions modification race (CAN-2005-0953)
Date: Tue, 5 Apr 2005 17:59:05 -0400
[Message part 1 (text/plain, inline)]
Package: bzip2
Version: 1.0.2-5
Severity: normal
Tags: security

According to
http://marc.theaimsgroup.com/?l=bugtraq&m=111229375217633&w=2:

  If a malicious local user has write access to a directory in which a
  target user is using bzip2 to extract or compress a file to then a
  TOCTOU bug can be exploited to change the permission of any file
  belonging to that user.

  On decompressing bzip2 copies the permissions from the compressed
  bzip2 file to the
  uncompressed file. However there is a gap between the uncompressed
  file being written (and it's file handler being close) and the
  permissions of the file being changed.

  During this gap a malicious user can remove the decompressed file and
  replace it with a hard-link to another file belonging to the user.
  bzip2 will then change the permissions on the  hard-linked file to be
  the same as that of the bzip2 file.

This is a low impact security hole as it requires a local user to
exploit a race, and bzip2 must be run in a directory that the attacker
can write to (and +t directories probably don't work), and all you
can do is change a file permissions. 

If you fix this hole, please refer to CAN-2005-0953 in your changelog.

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.27
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages bzip2 depends on:
ii  libbz2-1.0                  1.0.2-5      high-quality block-sorting file co
ii  libc6                       2.3.2.ds1-20 GNU C Library: Shared libraries an

-- no debconf information

-- 
see shy jo
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>:
Bug#303300; Package bzip2. Full text and rfc822 format available.

Acknowledgement sent to csmall@enc.com.au (Craig Small):
Extra info received and forwarded to list. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>. Full text and rfc822 format available.

Message #10 received at 303300@bugs.debian.org (full text, mbox):

From: csmall@enc.com.au (Craig Small)
To: 303300@bugs.debian.org
Subject: Possible patch for bzip2
Date: Wed, 4 May 2005 12:13:22 +1000
I'm not sure if this is the right patch for this bzip2 bug, but it
could be.

http://marc.theaimsgroup.com/?l=bugtraq&m=111352423504277&w=2

I don't know enought about bzip2 to know if it is right or not.

 - Craig
-- 
Craig Small      GnuPG:1C1B D893 1418 2AF4 45EE  95CB C76C E5AC 12CA DFA5
Eye-Net Consulting http://www.enc.com.au/   MIEE         Debian developer
csmall at : enc.com.au                      ieee.org           debian.org



Information forwarded to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>:
Bug#303300; Package bzip2. Full text and rfc822 format available.

Acknowledgement sent to Santiago Ruano Rincón <santiago@unicauca.edu.co>:
Extra info received and forwarded to list. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>. Full text and rfc822 format available.

Message #15 received at 303300@bugs.debian.org (full text, mbox):

From: Santiago Ruano Rincón <santiago@unicauca.edu.co>
To: 303300@bugs.debian.org
Subject: Bug#303300: corrected patch
Date: Wed, 04 May 2005 00:47:02 -0500
[Message part 1 (text/plain, inline)]
Hi,

The patch sent by Craig have some problems, I've corrected and uploaded
it to:

http://www.unicauca.edu.co/~santiago/bzip2-303300.patch

kind regards,

-- 
Santiago Ruano Rincón
Grupo GNU/Linux Universidad del Cauca
http://gluc.unicauca.edu.co

Huella digital llave GPG:
3821 4FB5 774A 611D 31E4  B268 414B 8423 6FEC CDE0
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>:
Bug#303300; Package bzip2. Full text and rfc822 format available.

Acknowledgement sent to Santiago Ruano Rincón <santiago@unicauca.edu.co>:
Extra info received and forwarded to list. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>. Full text and rfc822 format available.

Message #20 received at 303300@bugs.debian.org (full text, mbox):

From: Santiago Ruano Rincón <santiago@unicauca.edu.co>
To: 303300@bugs.debian.org
Subject: Patch attached
Date: Wed, 04 May 2005 00:54:13 -0500
[Message part 1 (text/plain, inline)]
Hi,

Patch attached to this mail.

thanks,
-- 
Santiago Ruano Rincón
Grupo GNU/Linux Universidad del Cauca
http://gluc.unicauca.edu.co

Huella digital llave GPG:
3821 4FB5 774A 611D 31E4  B268 414B 8423 6FEC CDE0
[bzip2-303300.patch (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, inline)]

Severity set to `serious'. Request was from Anibal Monsalve Salazar <anibal@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: patch, sarge, pending Request was from Anibal Monsalve Salazar <anibal@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Anibal Monsalve Salazar <anibal@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Joey Hess <joeyh@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #29 received at 303300-close@bugs.debian.org (full text, mbox):

From: Anibal Monsalve Salazar <anibal@debian.org>
To: 303300-close@bugs.debian.org
Subject: Bug#303300: fixed in bzip2 1.0.2-6
Date: Wed, 04 May 2005 04:02:37 -0400
Source: bzip2
Source-Version: 1.0.2-6

We believe that the bug you reported is fixed in the latest version of
bzip2, which is due to be installed in the Debian FTP archive:

bzip2_1.0.2-6.diff.gz
  to pool/main/b/bzip2/bzip2_1.0.2-6.diff.gz
bzip2_1.0.2-6.dsc
  to pool/main/b/bzip2/bzip2_1.0.2-6.dsc
bzip2_1.0.2-6_i386.deb
  to pool/main/b/bzip2/bzip2_1.0.2-6_i386.deb
libbz2-1.0_1.0.2-6_i386.deb
  to pool/main/b/bzip2/libbz2-1.0_1.0.2-6_i386.deb
libbz2-dev_1.0.2-6_i386.deb
  to pool/main/b/bzip2/libbz2-dev_1.0.2-6_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 303300@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Anibal Monsalve Salazar <anibal@debian.org> (supplier of updated bzip2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 04 May 2005 17:13:20 +1000
Source: bzip2
Binary: libbz2-1.0 bzip2 libbz2-dev
Architecture: source i386
Version: 1.0.2-6
Distribution: unstable
Urgency: high
Maintainer: Anibal Monsalve Salazar <anibal@debian.org>
Changed-By: Anibal Monsalve Salazar <anibal@debian.org>
Description: 
 bzip2      - high-quality block-sorting file compressor - utilities
 libbz2-1.0 - high-quality block-sorting file compressor library - runtime
 libbz2-dev - high-quality block-sorting file compressor library - development
Closes: 303300
Changes: 
 bzip2 (1.0.2-6) unstable; urgency=high
 .
   * Fixed RC bug "file permissions modification race (CAN-2005-0953)", closes:
     #303300. Patch by Santiago Ruano Rincon <santiago@unicauca.edu.co>.
     Original patch available at
     http://marc.theaimsgroup.com/?l=bugtraq&m=111352423504277&w=2
Files: 
 a74d3720114343270551736341bd40e0 577 utils standard bzip2_1.0.2-6.dsc
 64713d0abd18a046cf5574c359cf92ae 13388 utils standard bzip2_1.0.2-6.diff.gz
 78d10de9df81a254a6b5d568a094f2ad 38478 libs standard libbz2-1.0_1.0.2-6_i386.deb
 cab75a9f8e336237dc9253aac64ccc88 30232 libdevel optional libbz2-dev_1.0.2-6_i386.deb
 ee9afe41875f2ed2e82eccd8de98efd4 233228 utils optional bzip2_1.0.2-6_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCeH4agY5NIXPNpFURAtqPAJ9izEld47sqGGtfdo5cr5p5AgX1SgCePbIT
qM4bqXq6c+Jo4LWzgXJr2zo=
=sj0G
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>:
Bug#303300; Package bzip2. Full text and rfc822 format available.

Acknowledgement sent to Helge Kreutzmann <kreutzm@itp.uni-hannover.de>:
Extra info received and forwarded to list. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>. Full text and rfc822 format available.

Message #34 received at 303300@bugs.debian.org (full text, mbox):

From: Helge Kreutzmann <kreutzm@itp.uni-hannover.de>
To: 303300@bugs.debian.org
Cc: control@bugs.debian.org
Subject: and woody?
Date: Fri, 20 May 2005 19:10:57 +0200
reopen 303300
tags = security, woody
thanks

I find no traces on http://www.nl.debian.org/security/nonvulns-woody.

Btw. http://lwn.net/Articles/136284/ also talks about CAN-2005-1260,
but there is no info yet. Please check how they relate.

Greetings

          Helge
-- 
Dr. Helge Kreutzmann, Dipl.-Phys.           Helge.Kreutzmann@itp.uni-hannover.de
                       gpg signed mail preferred 
    64bit GNU powered                  http://www.itp.uni-hannover.de/~kreutzm
          Help keep free software "libre": http://www.ffii.de/



Bug reopened, originator not changed. Request was from Helge Kreutzmann <kreutzm@itp.uni-hannover.de> to control@bugs.debian.org. Full text and rfc822 format available.

Tags set to: security, woody Request was from Helge Kreutzmann <kreutzm@itp.uni-hannover.de> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: fixed Request was from Anibal Monsalve Salazar <anibal@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Owner recorded as Helge Kreutzmann <kreutzm@itp.uni-hannover.de>. Request was from Anibal Monsalve Salazar <anibal@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Anibal Monsalve Salazar <anibal@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Joey Hess <joeyh@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #47 received at 303300-done@bugs.debian.org (full text, mbox):

From: Anibal Monsalve Salazar <anibal@debian.org>
To: 303300-done@bugs.debian.org
Cc: Helge Kreutzmann <kreutzm@itp.uni-hannover.de>
Subject: Re: Bug#303300: and woody?
Date: Sun, 12 Jun 2005 16:53:37 +1000
[Message part 1 (text/plain, inline)]
On Fri, May 20, 2005 at 07:10:57PM +0200, Helge Kreutzmann wrote:
>reopen 303300
>tags = security, woody
>thanks

Thanks Helge. Your contribution is very much appreciated.

>I find no traces on http://www.nl.debian.org/security/nonvulns-woody.

Maybe you should ask the debian-security mailing list.

>Btw. http://lwn.net/Articles/136284/ also talks about CAN-2005-1260,
>but there is no info yet. Please check how they relate.

This is fixed with bzip2 1.0.2-1.woody3 available at:

http://people.debian.org/~anibal/debian/bzip2/

>Greetings
>
>          Helge
>-- 
>Dr. Helge Kreutzmann, Dipl.-Phys.           Helge.Kreutzmann@itp.uni-hannover.de
>                       gpg signed mail preferred 
>    64bit GNU powered                  http://www.itp.uni-hannover.de/~kreutzm
>          Help keep free software "libre": http://www.ffii.de/

The fix for #303300 is in 1.0.2-1.woody2. The version before
1.0.2-1.woody2 is 1.0.2-1.1 which actually closed #303300 for
woody.

More information about the recent fixes for bzip2 in woody is in
the following mail thread:

http://lists.debian.org/debian-security/2005/06/msg00029.html


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 26 May 2005 13:57:17 +0200
Source: bzip2
Binary: libbz2-dev bzip2 libbz2-1.0
Architecture: source i386
Version: 1.0.2-1.woody2
Distribution: stable-security
Urgency: high
Maintainer: Martin Schulze <joey@debian.org>
Changed-By: Martin Schulze <joey@infodrom.org>
Description: 
 bzip2      - A high-quality block-sorting file compressor - utilities
 libbz2-1.0 - A high-quality block-sorting file compressor library - runtime
 libbz2-dev - A high-quality block-sorting file compressor library - developmen
Changes: 
 bzip2 (1.0.2-1.woody2) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team
   * No changes rebuild because maintainer prevented distribution of
     security fix, thanks a lot!
Files: 
 096bfd852f8d33c3e14d3988982a1569 577 utils optional bzip2_1.0.2-1.woody2.dsc
 edf89c2f7477c6bf7c326cd498c93cf6 8674 utils optional bzip2_1.0.2-1.woody2.diff.gz
 c96ec29b510971a9f1043c68055643dc 35610 libs optional libbz2-1.0_1.0.2-1.woody2_i386.deb
 da5e7f1f21027869052f17ac01fd5a44 28286 devel optional libbz2-dev_1.0.2-1.woody2_i386.deb
 644eab4e2e3ca86af9712bf4965b4d08 228718 utils optional bzip2_1.0.2-1.woody2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFClbpQW5ql+IAeqTIRAkPxAJ9AbEfAO3v8nfFf2Qbue8OH62Fj6QCfQoxY
+iNlZegqy8yMw9c8vy554h0=
=MXxZ
-----END PGP SIGNATURE-----


Accepted:
bzip2_1.0.2-1.woody2.diff.gz
  to pool/main/b/bzip2/bzip2_1.0.2-1.woody2.diff.gz
bzip2_1.0.2-1.woody2.dsc
  to pool/main/b/bzip2/bzip2_1.0.2-1.woody2.dsc
bzip2_1.0.2-1.woody2_i386.deb
  to pool/main/b/bzip2/bzip2_1.0.2-1.woody2_i386.deb
libbz2-1.0_1.0.2-1.woody2_i386.deb
  to pool/main/b/bzip2/libbz2-1.0_1.0.2-1.woody2_i386.deb
libbz2-dev_1.0.2-1.woody2_i386.deb
  to pool/main/b/bzip2/libbz2-dev_1.0.2-1.woody2_i386.deb



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 23 May 2005 18:31:01 +1000
Source: bzip2
Binary: libbz2-dev bzip2 libbz2-1.0
Architecture: source i386
Version: 1.0.2-1.1
Distribution: stable
Urgency: medium
Maintainer: Philippe Troin <phil@fifi.org>
Changed-By: Anibal Monsalve Salazar <anibal@debian.org>
Description: 
 bzip2      - A high-quality block-sorting file compressor - utilities
 libbz2-1.0 - A high-quality block-sorting file compressor library - runtime
 libbz2-dev - A high-quality block-sorting file compressor library - developmen
Closes: 303300
Changes: 
 bzip2 (1.0.2-1.1) stable; urgency=medium
 .
   * Fixed RC bug "file permissions modification race (CAN-2005-0953)", closes:
     #303300. Patch by Santiago Ruano Rincon <santiago@unicauca.edu.co>.
     Original patch available at
     http://marc.theaimsgroup.com/?l=bugtraq&m=111352423504277&w=2
Files: 
 579849cc71ee9fe0eff9624ea44c821d 567 utils optional bzip2_1.0.2-1.1.dsc
 55d252cc8e7f6521563318eec4c0b1e4 8828 utils optional bzip2_1.0.2-1.1.diff.gz
 2c1cc471e38fbd1ce10983e1d4baca6a 35558 libs optional libbz2-1.0_1.0.2-1.1_i386.deb
 01c86a8be105c8796401f1c57f943772 28290 devel optional libbz2-dev_1.0.2-1.1_i386.deb
 9883b8172fd5b69e861e9c7b2840f10c 228734 utils optional bzip2_1.0.2-1.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCkaGjgY5NIXPNpFURAgJEAJ0QFb+RzkBVt5WvguVJyo94Bb84kACaAgEQ
3m0BbBGwE9LkZJO5kXA+f/Q=
=du/r
-----END PGP SIGNATURE-----


Accepted:
bzip2_1.0.2-1.1.diff.gz
  to pool/main/b/bzip2/bzip2_1.0.2-1.1.diff.gz
bzip2_1.0.2-1.1.dsc
  to pool/main/b/bzip2/bzip2_1.0.2-1.1.dsc
bzip2_1.0.2-1.1_i386.deb
  to pool/main/b/bzip2/bzip2_1.0.2-1.1_i386.deb
libbz2-1.0_1.0.2-1.1_i386.deb
  to pool/main/b/bzip2/libbz2-1.0_1.0.2-1.1_i386.deb
libbz2-dev_1.0.2-1.1_i386.deb
  to pool/main/b/bzip2/libbz2-dev_1.0.2-1.1_i386.deb



Anibal Monsalve Salazar
--
 .''`. Debian GNU/Linux
: :' : Free Operating System
`. `'  http://debian.org/
  `-   http://v7w.com/anibal
[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 11:17:55 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.