Debian Bug report logs - #321927
CAN-2005-2475: unzip TOCTOU file-permissions vulnerability

version graph

Package: unzip; Maintainer for unzip is Santiago Vila <sanvila@debian.org>; Source for unzip is src:unzip.

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Mon, 8 Aug 2005 10:03:08 UTC

Severity: normal

Tags: patch, security

Found in version unzip/5.52-3

Fixed in version unzip/5.52-4

Done: Santiago Vila <sanvila@debian.org>

Bug is archived. No further changes may be made.

Forwarded to http://www.info-zip.org/zip-bug.html

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#321927; Package unzip. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to Santiago Vila <sanvila@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CAN-2005-2475: unzip TOCTOU file-permissions vulnerability
Date: Mon, 08 Aug 2005 11:45:23 +0200
Package: unzip
Version: 5.52-3
Severity: normal
Tags: security

There has been a report about a minor security problem in unzip:

 If a malicious local user has write access to a directory in which a
 target user is using unzip to extract a file to then a
 TOCTOU bug can be exploited to change the permission of any file
 belonging to that user.

 On decompressing unzip copies the permissions from the compressed
  file to the uncompressed file. However there is a gap between the
 uncompressed file being written (and it's file handler being close)
 and the permissions of the file being changed.

 During this gap a malicious user can remove the decompressed file and
 replace it with a hard-link to another file belonging to the user.
 unzip will then change the permissions on the  hard-linked file to be
 the same as that of the compressed file.

 The vulnerable line of code can be found on line 1160 of the file
 unix.c where chmod is used (rather than fchmod). unzip also use's
 chmod in a number of other places which may also be vulnerable to
 exploitation.

See http://marc.theaimsgroup.com/?l=bugtraq&m=112300046224117&w=2 
This is CAN-2005-2475.

Cheers,
        Moritz

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-rc5
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)

Versions of packages unzip depends on:
ii  libc6                         2.3.5-3    GNU C Library: Shared libraries an

unzip recommends no packages.

-- no debconf information



Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#321927; Package unzip. Full text and rfc822 format available.

Acknowledgement sent to Santiago Vila <sanvila@unex.es>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>. Full text and rfc822 format available.

Message #10 received at 321927@bugs.debian.org (full text, mbox):

From: Santiago Vila <sanvila@unex.es>
To: Moritz Muehlenhoff <jmm@inutil.org>, 321927@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#321927: CAN-2005-2475: unzip TOCTOU file-permissions vulnerability
Date: Mon, 8 Aug 2005 12:26:03 +0200 (CEST)
forwarded 321927 http://www.info-zip.org/zip-bug.html
thanks

I have just forwarded this report to the authors. Let's see what they
have to say about it.



Noted your statement that Bug has been forwarded to http://www.info-zip.org/zip-bug.html. Request was from Santiago Vila <sanvila@unex.es> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#321927; Package unzip. Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <mpitt@debian.org>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>. Full text and rfc822 format available.

Message #17 received at 321927@bugs.debian.org (full text, mbox):

From: Martin Pitt <mpitt@debian.org>
To: 321927@bugs.debian.org
Cc: control@bugs.debian.org, security@debian.org
Subject: Ubuntu patch for unzip CAN-2005-2475
Date: Thu, 29 Sep 2005 17:18:45 +0200
[Message part 1 (text/plain, inline)]
tag 321927 patch
thanks

Hi security team, hi Santiago!

I fixed this in Ubuntu by this simple patch:

  http://patches.ubuntu.com/patches/unzip.CAN-2005-2475.diff

It uses fchmod() instead of chmod() and moves the chmodding to the top
of the function since the output file is already closed very early.

Santiago, can you please send this to upstream?

Please remember to add the CAN number to the changelog when you fix
this.

Thanks for considering and have a nice day!

Martin
-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?
[signature.asc (application/pgp-signature, inline)]

Tags added: patch Request was from Martin Pitt <mpitt@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#321927; Package unzip. Full text and rfc822 format available.

Acknowledgement sent to Santiago Vila <sanvila@unex.es>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>. Full text and rfc822 format available.

Message #24 received at 321927@bugs.debian.org (full text, mbox):

From: Santiago Vila <sanvila@unex.es>
To: Christian.Spieler@t-online.de
Cc: 321927@bugs.debian.org, Martin Pitt <mpitt@debian.org>, security@debian.org
Subject: Bug#321927: Ubuntu patch for unzip CAN-2005-2475 (fwd)
Date: Thu, 29 Sep 2005 19:23:53 +0200 (CEST)
Christian, I received this patch from Ubuntu, so if I'm not mistaken,
there are now three different ways to fix this bug (two of them from
discussions that were not cc:ed to the Debian BTS), but so far none of
these patches have been "blessed" by upstream (i.e. you).

Is this patch good enough for unix systems? Ideally, we would like to
patch this soon, even if the patch is not completely portable to, say,
MS-DOS systems.

Thanks.

---------- Forwarded message ----------
From: Martin Pitt <mpitt@debian.org>
To: 321927@bugs.debian.org
Cc: control@bugs.debian.org, security@debian.org
Date: Thu, 29 Sep 2005 17:18:45 +0200
Subject: Bug#321927: Ubuntu patch for unzip CAN-2005-2475

tag 321927 patch
thanks

Hi security team, hi Santiago!

I fixed this in Ubuntu by this simple patch:

  http://patches.ubuntu.com/patches/unzip.CAN-2005-2475.diff

It uses fchmod() instead of chmod() and moves the chmodding to the top
of the function since the output file is already closed very early.

Santiago, can you please send this to upstream?

Please remember to add the CAN number to the changelog when you fix
this.

Thanks for considering and have a nice day!

Martin
-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?



Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#321927; Package unzip. Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <martin.pitt@canonical.com>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>. Full text and rfc822 format available.

Message #29 received at 321927@bugs.debian.org (full text, mbox):

From: Martin Pitt <martin.pitt@canonical.com>
To: Santiago Vila <sanvila@unex.es>
Cc: Christian.Spieler@t-online.de, 321927@bugs.debian.org, security@debian.org
Subject: Re: Bug#321927: Ubuntu patch for unzip CAN-2005-2475 (fwd)
Date: Thu, 29 Sep 2005 20:00:58 +0200
Hi Santiago!

Santiago Vila [2005-09-29 19:23 +0200]:
> Christian, I received this patch from Ubuntu, so if I'm not mistaken,
> there are now three different ways to fix this bug (two of them from
> discussions that were not cc:ed to the Debian BTS), but so far none of
> these patches have been "blessed" by upstream (i.e. you).
> 
> Is this patch good enough for unix systems? Ideally, we would like to
> patch this soon, even if the patch is not completely portable to, say,
> MS-DOS systems.

Please note that this is not an issue since msdos and other systems
have their own backends. My patch only affects unix/unix.c.

Martin


-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?



Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#321927; Package unzip. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>. Full text and rfc822 format available.

Message #34 received at 321927@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Santiago Vila <sanvila@unex.es>
Cc: Christian.Spieler@t-online.de, 321927@bugs.debian.org, Martin Pitt <mpitt@debian.org>, security@debian.org
Subject: Re: Bug#321927: Ubuntu patch for unzip CAN-2005-2475 (fwd)
Date: Sun, 2 Oct 2005 16:08:58 +0200
Santiago Vila wrote:
> Christian, I received this patch from Ubuntu, so if I'm not mistaken,
> there are now three different ways to fix this bug (two of them from
> discussions that were not cc:ed to the Debian BTS), but so far none of
> these patches have been "blessed" by upstream (i.e. you).
> 
> Is this patch good enough for unix systems? Ideally, we would like to
> patch this soon, even if the patch is not completely portable to, say,
> MS-DOS systems.

Indeed.  Please let us know if upstream responds.  If not, please
the patch you'll use for the package in sid so that the update
in sarge can use the same.

Regards,

	Joey

-- 
Never trust an operating system you don't have source for!



Reply sent to Santiago Vila <sanvila@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #39 received at 321927-close@bugs.debian.org (full text, mbox):

From: Santiago Vila <sanvila@debian.org>
To: 321927-close@bugs.debian.org
Subject: Bug#321927: fixed in unzip 5.52-4
Date: Wed, 09 Nov 2005 09:32:16 -0800
Source: unzip
Source-Version: 5.52-4

We believe that the bug you reported is fixed in the latest version of
unzip, which is due to be installed in the Debian FTP archive:

unzip_5.52-4.diff.gz
  to pool/main/u/unzip/unzip_5.52-4.diff.gz
unzip_5.52-4.dsc
  to pool/main/u/unzip/unzip_5.52-4.dsc
unzip_5.52-4_powerpc.deb
  to pool/main/u/unzip/unzip_5.52-4_powerpc.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 321927@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Santiago Vila <sanvila@debian.org> (supplier of updated unzip package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed,  9 Nov 2005 18:05:02 +0100
Source: unzip
Binary: unzip
Architecture: source powerpc
Version: 5.52-4
Distribution: unstable
Urgency: medium
Maintainer: Santiago Vila <sanvila@debian.org>
Changed-By: Santiago Vila <sanvila@debian.org>
Description: 
 unzip      - De-archiver for .zip files
Closes: 321927
Changes: 
 unzip (5.52-4) unstable; urgency=medium
 .
   * Fixed toctou vulnerability (Closes: #321927). Modified unix/unix.c
     to use fchmod() and fchown() instead of chmod() and chown() to change
     permissions and ownerships on the files actually created by unzip.
     Patch from Dan Yefimov. CAN-2005-2475.
Files: 
 c1cf7df4681cec6693027e68f45cedd8 516 utils optional unzip_5.52-4.dsc
 5eef3ef776f3cf65abf803b0854f1773 8882 utils optional unzip_5.52-4.diff.gz
 73f2f4108ac9349959732c27da2aa0d0 162164 utils optional unzip_5.52-4_powerpc.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDci2ad9Uuvj7yPNYRAq2CAJ9TQL3S1RG8C3Y8x2iGC05CWOwuoACffgrb
USm0NR4t6fv6lxxfKpYdc6Y=
=Ipxd
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 25 Jun 2007 00:14:57 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 04:15:42 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.