Debian Bug report logs - #305255
CAN-2005-1228 gzip: dir traversal bug when using "gunzip -N"

version graph

Package: gzip; Maintainer for gzip is Bdale Garbee <bdale@gag.com>; Source for gzip is src:gzip.

Reported by: metaur@telia.com

Date: Mon, 18 Apr 2005 22:03:02 UTC

Severity: important

Tags: patch, security

Found in version 1.3.5-9

Fixed in version gzip/1.3.5-10

Done: Bdale Garbee <bdale@gag.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#305255; Package gzip. Full text and rfc822 format available.

Acknowledgement sent to metaur@telia.com:
New Bug report received and forwarded. Copy sent to Bdale Garbee <bdale@gag.com>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Ulf Harnhammar <metaur@telia.com>
To: submit@bugs.debian.org
Subject: gzip: dir traversal bug when using "gunzip -N"
Date: Mon, 18 Apr 2005 23:49:54 +0200
[Message part 1 (text/plain, inline)]
Subject: gzip: dir traversal bug when using "gunzip -N"
Package: gzip
Version: 1.3.5-9
Severity: important
Tags: security patch

A directory traversal bug exists in multiple versions of gzip. When
compressing a file, gzip saves its original name but not its path inside
the compressed file. When using gunzip's "-N" option, the original name
found inside the compressed file will be used as the name to save the
decompressed file with. "gunzip -N" doesn't check if the original name inside
the compressed file has any "/" characters in it. This makes it possible to
create a malicious compressed file that when decompressed with "gunzip -N"
will create a file at an arbitrary location in the file system, such as
"/etc/nologin" or "/etc/cron.d/evil".

The command "gunzip -N" prints no output during normal operation, so the
user will not get any warning! The command "gunzip -Nv" prints information
about what file it is creating where, but then it may be too late.

The gunzip command always asks before overwriting existing files, so this
bug only allows for creating new files and not overwriting old ones.

This bug has some limited security implications. It allows attackers to create
arbitrary files with arbitrary contents on a system, if they can get a user or
a program with sufficient rights to decompress a .gz file from the attackers
with "gunzip -N".

At least the following gzip versions are affected: 1.2.4, 1.2.4a, 1.3.3,
1.3.4 and 1.3.5.

I have attached the compressed file "dir-traversal-bug.gz" that will create
a file in "/tmp" when decompressed with "gunzip -N". I have also attached a
patch.

// Ulf Härnhammar

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages gzip depends on:
ii  debianutils                 2.8.4        Miscellaneous utilities specific t
ii  libc6                       2.3.2.ds1-20 GNU C Library: Shared libraries an

-- no debconf information

[dir-traversal-bug.gz (application/octet-stream, attachment)]
[gzip.dirtraversal.patch (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#305255; Package gzip. Full text and rfc822 format available.

Acknowledgement sent to Pawel Sikora <pluto@pld-linux.org>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. Full text and rfc822 format available.

Message #10 received at 305255@bugs.debian.org (full text, mbox):

From: Pawel Sikora <pluto@pld-linux.org>
To: 305255@bugs.debian.org
Subject: dir.traversal patch introduces a regression.
Date: Thu, 21 Apr 2005 01:41:01 +0200
with this patch: `gzip -9nf /tmp/something` stores output
in the `pwd`/something.gz. this behaviour break rpmbuilds
(our macros compress manpages in $tmpinstalldir in this way).

without this patch: `gzip -9nf /tmp/something` stores output
in /tmp/something.gz.

-- 
/* Copyright (C) 2003, SCO, Inc. This is valuable Intellectual Property. */

                           #define say(x) lie(x)



Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#305255; Package gzip. Full text and rfc822 format available.

Acknowledgement sent to metaur@telia.com:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. Full text and rfc822 format available.

Message #15 received at 305255@bugs.debian.org (full text, mbox):

From: Ulf Harnhammar <metaur@telia.com>
To: 305255@bugs.debian.org
Cc: pluto@pld-linux.org
Subject: suggestion
Date: Thu, 21 Apr 2005 02:14:37 +0200
Pawel, would it help if I changed the patch so it only
does this when decompressing?

// Ulf Härnhammar




Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#305255; Package gzip. Full text and rfc822 format available.

Acknowledgement sent to metaur@telia.com:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. Full text and rfc822 format available.

Message #20 received at 305255@bugs.debian.org (full text, mbox):

From: Ulf Harnhammar <metaur@telia.com>
To: 305255@bugs.debian.org
Cc: pluto@pld-linux.org
Subject: Better patch
Date: Thu, 28 Apr 2005 03:58:10 +0200
[Message part 1 (text/plain, inline)]
Hello,

here is a better patch. It removes the directory part of the
filename when it is read from the .gz file, and not when opening
it, so the earlier side effects should disappear now.

// Ulf

[gzip.dirtraversal_better.patch (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#305255; Package gzip. Full text and rfc822 format available.

Acknowledgement sent to Petter Reinholdtsen <pere@hungry.com>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. Full text and rfc822 format available.

Message #25 received at 305255@bugs.debian.org (full text, mbox):

From: Petter Reinholdtsen <pere@hungry.com>
To: 305255@bugs.debian.org
Subject: Re: gzip: dir traversal bug when using "gunzip -N"
Date: Thu, 19 May 2005 18:14:30 +0200
[Ulf Harnhammar]
> here is a better patch. It removes the directory part of the
> filename when it is read from the .gz file, and not when opening it,
> so the earlier side effects should disappear now.

The patch applies, but do not compile with gzip 1.2.4a.  base_name()
is an unknown function in that source.  Can basename() be used
instead?  The code seem to indicate this.  This patch compiles, but I
am not sure if it is correct, yet.

--- src-1.2.4a-local/gzip.c     1993-08-19 15:39:43.000000000 +0200
+++ src-1.2.4aUSIT.1/gzip.c     2005-05-19 18:09:02.000000000 +0200
@@ -1251,6 +1251,8 @@
                        error("corrupted input -- file name too large");
                    }
                }
+               char *base2 = basename (base);
+               strcpy(base, base2);
                 /* If necessary, adapt the name to local OS conventions: */
                 if (!list) {
                    MAKE_LEGAL_NAME(base);



Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#305255; Package gzip. Full text and rfc822 format available.

Acknowledgement sent to Petter Reinholdtsen <pere@hungry.com>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. Full text and rfc822 format available.

Message #30 received at 305255@bugs.debian.org (full text, mbox):

From: Petter Reinholdtsen <pere@hungry.com>
To: 305255@bugs.debian.org
Subject: Re: gzip: dir traversal bug when using "gunzip -N"
Date: Fri, 20 May 2005 18:36:23 +0200
retitle 305255 CAN-2005-1228 gzip: dir traversal bug when using "gunzip -N"
thanks

Time to tag the CVE number into the title. :)

This bug is reported into RedHat as bug
<URL:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=156266>.
There is no patch available there.  It is also reported as solved by
Ubuntu, <URL:http://lwn.net/Alerts/134678/>.  They are using the patch
directly from  Ulf Harnhammar.

Based on the patch from Ulf Harnhammar, I ended up with this patch for
version 1.2.4a.  The original patch was not legal ANSI C89, and failed
to build with gcc 2.95.  I'm still not sure if the user of basename()
instead of base_name() is the correct thing to do here.

diff -ur src-1.2.4a-local/gzip.c src-1.2.4aUSIT.1/gzip.c
--- src-1.2.4a-local/gzip.c     1993-08-19 15:39:43.000000000 +0200
+++ src-1.2.4aUSIT.1/gzip.c     2005-05-19 18:20:17.000000000 +0200
@@ -1244,6 +1244,7 @@
                /* Copy the base name. Keep a directory prefix intact. */
                 char *p = basename(ofname);
                 char *base = p;
+               char *base2;
                for (;;) {
                    *p = (char)get_char();
                    if (*p++ == '\0') break;
@@ -1251,6 +1252,8 @@
                        error("corrupted input -- file name too large");
                    }
                }
+               base2 = basename (base);
+               strcpy(base, base2);
                 /* If necessary, adapt the name to local OS conventions: */
                 if (!list) {
                    MAKE_LEGAL_NAME(base);



Changed Bug title. Request was from Petter Reinholdtsen <pere@hungry.com> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#305255; Package gzip. Full text and rfc822 format available.

Acknowledgement sent to bdale@gag.com (Bdale Garbee):
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. Full text and rfc822 format available.

Message #37 received at 305255@bugs.debian.org (full text, mbox):

From: bdale@gag.com (Bdale Garbee)
To: 305255@bugs.debian.org, control@bugs.debian.org
Subject: thanks
Date: Fri, 20 May 2005 21:53:43 -0600 (MDT)
tag 205255 +pending
thanks

Patch applied in my CVS for next upload.

Bdale



Reply sent to Bdale Garbee <bdale@gag.com>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to metaur@telia.com:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #42 received at 305255-close@bugs.debian.org (full text, mbox):

From: Bdale Garbee <bdale@gag.com>
To: 305255-close@bugs.debian.org
Subject: Bug#305255: fixed in gzip 1.3.5-10
Date: Sat, 21 May 2005 01:17:04 -0400
Source: gzip
Source-Version: 1.3.5-10

We believe that the bug you reported is fixed in the latest version of
gzip, which is due to be installed in the Debian FTP archive:

gzip_1.3.5-10.diff.gz
  to pool/main/g/gzip/gzip_1.3.5-10.diff.gz
gzip_1.3.5-10.dsc
  to pool/main/g/gzip/gzip_1.3.5-10.dsc
gzip_1.3.5-10_i386.deb
  to pool/main/g/gzip/gzip_1.3.5-10_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 305255@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bdale Garbee <bdale@gag.com> (supplier of updated gzip package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 20 May 2005 22:34:49 -0600
Source: gzip
Binary: gzip
Architecture: source i386
Version: 1.3.5-10
Distribution: unstable
Urgency: medium
Maintainer: Bdale Garbee <bdale@gag.com>
Changed-By: Bdale Garbee <bdale@gag.com>
Description: 
 gzip       - The GNU compression utility
Closes: 263792 283730 303927 305255 308379
Changes: 
 gzip (1.3.5-10) unstable; urgency=medium
 .
   * remove PAGER reference from zmore.1, closes: #263792
   * patch to improve zgrep argument sanitizing (CAN-2005-0758),
     closes: #308379
   * patch isolated by Petter Reinholdtsen for CAN-2005-0988, closes: #303927
   * patch for dir traversal bug (CAN-2005-1228), closes: #305255
   * up the priority a click because of the security fixes
   * patch to support cross building, closes: #283730
Files: 
 c1bdc2505397e079b9bf8d15ccb33792 554 base required gzip_1.3.5-10.dsc
 905cd5c24a4376bd9a97190a388775e9 56311 base required gzip_1.3.5-10.diff.gz
 bdd5d477cb4a7f048052d5c34f31a860 70758 base required gzip_1.3.5-10_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCjsDGZKfAp/LPAagRAlEWAJ9IjeZd/oEuEXvHZazPU1Vw1nACeQCfWoHp
HqzLLhmiCvDXudnH1hJ5xV8=
=UTE5
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#305255; Package gzip. Full text and rfc822 format available.

Acknowledgement sent to metaur@telia.com:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. Full text and rfc822 format available.

Message #47 received at 305255@bugs.debian.org (full text, mbox):

From: Ulf Harnhammar <metaur@telia.com>
To: pere@hungry.com
Cc: 305255@bugs.debian.org
Subject: the gzip patch
Date: Sat, 21 May 2005 10:30:42 +0200
> I'm still not sure if the user of basename()
> instead of base_name() is the correct thing to do here.

It's the same function, so it should be correct.

// Ulf




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 19:27:38 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.