Debian Bug report logs - #700608
pigz creates temp files with too wide permissions (CVE-2013-0296)

version graph

Package: pigz; Maintainer for pigz is Eduard Bloch <blade@debian.org>; Source for pigz is src:pigz.

Reported by: Michael Tokarev <mjt@tls.msk.ru>

Date: Fri, 15 Feb 2013 08:33:01 UTC

Severity: serious

Tags: patch, security

Found in versions pigz/2.2.4-1, pigz/2.1.6-1

Fixed in versions pigz/2.2.4-2, pigz/2.1.6-1+squeeze1

Done: Eduard Bloch <blade@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Eduard Bloch <blade@debian.org>:
Bug#700608; Package pigz. (Fri, 15 Feb 2013 08:33:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Tokarev <mjt@tls.msk.ru>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Eduard Bloch <blade@debian.org>. (Fri, 15 Feb 2013 08:33:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Michael Tokarev <mjt@tls.msk.ru>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: pigz creates temp files with too wide permissions
Date: Fri, 15 Feb 2013 12:30:09 +0400
Package: pigz
Version: 2.2.4-1
Severity: serious
Tags: security


When asked to compress a file with restricted permissions (like
mode 0600), the .gz file pigz creates while doing this has
usual mode derived from umask (like 0644).  If the file is
large enough (and why we would use pigz instead of gzip for
small files), this results in the original content being
readable for everyone until the compression finishes.

Here's the deal:

$ fallocate -l 1G foo
$ chmod 0600 foo
$ pigz foo &
$ ls -l foo foo.gz 
-rw------- 1 mjt mjt 1073741824 Фев 15 12:27 foo
-rw-rw-r-- 1 mjt mjt     502516 Фев 15 12:27 foo.gz

When it finishes, it correctly applies original file permissions
to the newly created file, but it is already waaay too late.

Other one-file archivers (gzip, xz, bzip2, ...) usually create
the temp file with very strict permissions first, and change it
to the right perms only when done, so only the current user can
read it.

It looks like this bug deserves a CVE#.

Thanks,

/mjt



Information forwarded to debian-bugs-dist@lists.debian.org, Eduard Bloch <blade@debian.org>:
Bug#700608; Package pigz. (Sat, 16 Feb 2013 07:18:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Eduard Bloch <blade@debian.org>. (Sat, 16 Feb 2013 07:18:03 GMT) Full text and rfc822 format available.

Message #10 received at 700608@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Michael Tokarev <mjt@tls.msk.ru>, 700608@bugs.debian.org
Subject: Re: Bug#700608: pigz creates temp files with too wide permissions
Date: Sat, 16 Feb 2013 08:14:17 +0100
Control: retitle -1 CVE-2013-0296: pigz creates temp files with too wide permissions

Hi

On Fri, Feb 15, 2013 at 12:30:09PM +0400, Michael Tokarev wrote:
> When asked to compress a file with restricted permissions (like
> mode 0600), the .gz file pigz creates while doing this has
> usual mode derived from umask (like 0644).  If the file is
> large enough (and why we would use pigz instead of gzip for
> small files), this results in the original content being
> readable for everyone until the compression finishes.
> 
> Here's the deal:
> 
> $ fallocate -l 1G foo
> $ chmod 0600 foo
> $ pigz foo &
> $ ls -l foo foo.gz 
> -rw------- 1 mjt mjt 1073741824 ?????? 15 12:27 foo
> -rw-rw-r-- 1 mjt mjt     502516 ?????? 15 12:27 foo.gz
> 
> When it finishes, it correctly applies original file permissions
> to the newly created file, but it is already waaay too late.
> 
> Other one-file archivers (gzip, xz, bzip2, ...) usually create
> the temp file with very strict permissions first, and change it
> to the right perms only when done, so only the current user can
> read it.
> 
> It looks like this bug deserves a CVE#.

A CVE was assigned to this now[1]: CVE-2013-0296. Could you please
include the CVE in your changelog when fixing the issue?

 [1]: http://marc.info/?l=oss-security&m=136099644815551&w=2

Regards,
Salvatore



Changed Bug title to 'CVE-2013-0296: pigz creates temp files with too wide permissions' from 'pigz creates temp files with too wide permissions' Request was from Salvatore Bonaccorso <carnil@debian.org> to 700608-submit@bugs.debian.org. (Sat, 16 Feb 2013 07:18:04 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Eduard Bloch <blade@debian.org>:
Bug#700608; Package pigz. (Sat, 16 Feb 2013 07:21:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Tokarev <mjt@tls.msk.ru>:
Extra info received and forwarded to list. Copy sent to Eduard Bloch <blade@debian.org>. (Sat, 16 Feb 2013 07:21:04 GMT) Full text and rfc822 format available.

Message #17 received at 700608@bugs.debian.org (full text, mbox):

From: Michael Tokarev <mjt@tls.msk.ru>
To: 700608@bugs.debian.org
Subject: Re: Bug#700608: pigz creates temp files with too wide permissions
Date: Sat, 16 Feb 2013 11:17:46 +0400
Control: retitle -1 pigz creates temp files with too wide permissions (CVE-2013-0296)

This issue has been assigned CVE-2013-0296.

Thanks,

/mjt



Changed Bug title to 'pigz creates temp files with too wide permissions (CVE-2013-0296)' from 'CVE-2013-0296: pigz creates temp files with too wide permissions' Request was from Michael Tokarev <mjt@tls.msk.ru> to 700608-submit@bugs.debian.org. (Sat, 16 Feb 2013 07:21:04 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Eduard Bloch <blade@debian.org>:
Bug#700608; Package pigz. (Sat, 16 Feb 2013 08:21:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Tokarev <mjt@tls.msk.ru>:
Extra info received and forwarded to list. Copy sent to Eduard Bloch <blade@debian.org>. (Sat, 16 Feb 2013 08:21:02 GMT) Full text and rfc822 format available.

Message #24 received at 700608@bugs.debian.org (full text, mbox):

From: Michael Tokarev <mjt@tls.msk.ru>
To: Salvatore Bonaccorso <carnil@debian.org>
Cc: 700608@bugs.debian.org, Mark Adler <madler@alumni.caltech.edu>
Subject: Re: Bug#700608: CVE-2013-0296: pigz creates temp files with too wide permissions
Date: Sat, 16 Feb 2013 12:18:35 +0400
[Message part 1 (text/plain, inline)]
Control: tag -1 + patch

The attached patch fixes the issue.  It uses st.st_mode as a base
when creating a new file (falling back to usual 0666 when dealing
with stdin).  It also uses the same stat attributes as used when
creating the file.

One more thing which is good to have here (it is also potential
security issue) is to use fchmod/fchown/etc instead of chmod/chown/etc,
due to possible symlink tricks, but this might be a bit more changes
than needed for the main fix.

Thanks,

/mjt
[pigz-CVE-2013-0296.diff (text/x-patch, attachment)]

Added tag(s) patch. Request was from Michael Tokarev <mjt@tls.msk.ru> to 700608-submit@bugs.debian.org. (Sat, 16 Feb 2013 08:21:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Eduard Bloch <blade@debian.org>:
Bug#700608; Package pigz. (Sat, 16 Feb 2013 08:27:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Tokarev <mjt@tls.msk.ru>:
Extra info received and forwarded to list. Copy sent to Eduard Bloch <blade@debian.org>. (Sat, 16 Feb 2013 08:27:03 GMT) Full text and rfc822 format available.

Message #31 received at 700608@bugs.debian.org (full text, mbox):

From: Michael Tokarev <mjt@tls.msk.ru>
To: 700608@bugs.debian.org
Cc: Mark Adler <madler@alumni.caltech.edu>
Subject: Re: Bug#700608: CVE-2013-0296: pigz creates temp files with too wide permissions
Date: Sat, 16 Feb 2013 12:22:31 +0400
[Message part 1 (text/plain, inline)]
16.02.2013 12:18, Michael Tokarev wrote:
> Control: tag -1 + patch
> 
> The attached patch fixes the issue.  It uses st.st_mode as a base
> when creating a new file (falling back to usual 0666 when dealing
> with stdin).  It also uses the same stat attributes as used when
> creating the file.

And attached is a really minimal fix, which does not touch copymeta(),
but uses the same st.st_mode "trick" isntead of using 0666 directly.

For reference: this is all about http://bugs.debian.org/700608 aka
CVE-2013-0296.

Thanks,

/mjt


[pigz-CVE-2013-0296-mini.diff (text/x-patch, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Eduard Bloch <blade@debian.org>:
Bug#700608; Package pigz. (Sun, 17 Feb 2013 10:42:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ivo De Decker <ivo.dedecker@ugent.be>:
Extra info received and forwarded to list. Copy sent to Eduard Bloch <blade@debian.org>. (Sun, 17 Feb 2013 10:42:03 GMT) Full text and rfc822 format available.

Message #36 received at 700608@bugs.debian.org (full text, mbox):

From: Ivo De Decker <ivo.dedecker@ugent.be>
To: 700608@bugs.debian.org
Subject: CVE-2013-0296 also in squeeze
Date: Sun, 17 Feb 2013 11:38:57 +0100
Control: found -1 2.1.6-1

Hi,

This issue also exists in squeeze.

Cheers,

Ivo



Marked as found in versions pigz/2.1.6-1. Request was from Ivo De Decker <ivo.dedecker@ugent.be> to 700608-submit@bugs.debian.org. (Sun, 17 Feb 2013 10:42:04 GMT) Full text and rfc822 format available.

Reply sent to Eduard Bloch <blade@debian.org>:
You have taken responsibility. (Sat, 23 Feb 2013 20:51:04 GMT) Full text and rfc822 format available.

Notification sent to Michael Tokarev <mjt@tls.msk.ru>:
Bug acknowledged by developer. (Sat, 23 Feb 2013 20:51:04 GMT) Full text and rfc822 format available.

Message #43 received at 700608-close@bugs.debian.org (full text, mbox):

From: Eduard Bloch <blade@debian.org>
To: 700608-close@bugs.debian.org
Subject: Bug#700608: fixed in pigz 2.2.4-2
Date: Sat, 23 Feb 2013 20:47:36 +0000
Source: pigz
Source-Version: 2.2.4-2

We believe that the bug you reported is fixed in the latest version of
pigz, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 700608@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Eduard Bloch <blade@debian.org> (supplier of updated pigz package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 23 Feb 2013 13:44:42 +0100
Source: pigz
Binary: pigz
Architecture: source amd64
Version: 2.2.4-2
Distribution: unstable
Urgency: high
Maintainer: Eduard Bloch <blade@debian.org>
Changed-By: Eduard Bloch <blade@debian.org>
Description: 
 pigz       - Parallel Implementation of GZip
Closes: 700608
Changes: 
 pigz (2.2.4-2) unstable; urgency=high
 .
   * Use 600 permissions for unfinished output files (CVE-2013-0296,
     closes: #700608)
   * started applying Debian hardening flags
Checksums-Sha1: 
 e45f3818f029a5b067b06f0f6c7a95d94e5e891a 1012 pigz_2.2.4-2.dsc
 0744f48ff7bc4d15741ce2f8a1716694d62c0f8f 2888 pigz_2.2.4-2.debian.tar.xz
 8f69e0d472d866aa695492440167a02f7876fc7c 34908 pigz_2.2.4-2_amd64.deb
Checksums-Sha256: 
 ae471af43db6eb7d76cd5aca11b1a7c0c22bbfc54b4ebd5144b12634192302da 1012 pigz_2.2.4-2.dsc
 677cdbdf4148cdc89ff512d2bfee0a6616f725a4a757d53a8d8f54a35b0ef99d 2888 pigz_2.2.4-2.debian.tar.xz
 5c3677e819caf7ef14f352a45c5f1441649b8440dfc02f7f47af9beaa65c8605 34908 pigz_2.2.4-2_amd64.deb
Files: 
 40600b6811d234d8d6453e29019bc2cd 1012 utils extra pigz_2.2.4-2.dsc
 7aab96c9299529e925e00bb83b2e49bc 2888 utils extra pigz_2.2.4-2.debian.tar.xz
 1aa0bf2546afda6364edebd3a717a599 34908 utils extra pigz_2.2.4-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFRKL9Y4QZIHu3wCMURApY+AJkB9Qzyux79we+hynQkikdz+oQoFACcDgsl
eAtzkMSSs6rtfJePgweFAtE=
=/1A1
-----END PGP SIGNATURE-----




Reply sent to Eduard Bloch <blade@debian.org>:
You have taken responsibility. (Fri, 12 Apr 2013 18:06:05 GMT) Full text and rfc822 format available.

Notification sent to Michael Tokarev <mjt@tls.msk.ru>:
Bug acknowledged by developer. (Fri, 12 Apr 2013 18:06:05 GMT) Full text and rfc822 format available.

Message #48 received at 700608-close@bugs.debian.org (full text, mbox):

From: Eduard Bloch <blade@debian.org>
To: 700608-close@bugs.debian.org
Subject: Bug#700608: fixed in pigz 2.1.6-1+squeeze1
Date: Fri, 12 Apr 2013 18:02:04 +0000
Source: pigz
Source-Version: 2.1.6-1+squeeze1

We believe that the bug you reported is fixed in the latest version of
pigz, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 700608@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Eduard Bloch <blade@debian.org> (supplier of updated pigz package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 23 Feb 2013 21:46:31 +0100
Source: pigz
Binary: pigz
Architecture: source amd64
Version: 2.1.6-1+squeeze1
Distribution: stable
Urgency: high
Maintainer: Eduard Bloch <blade@debian.org>
Changed-By: Eduard Bloch <blade@debian.org>
Description: 
 pigz       - Parallel Implementation of GZip
Closes: 700608
Changes: 
 pigz (2.1.6-1+squeeze1) stable; urgency=high
 .
   * Use 600 permissions for unfinished output files (CVE-2013-0296,
     closes: #700608)
Checksums-Sha1: 
 947f55875a684d0d5e450783d3e9a0bd20d77500 985 pigz_2.1.6-1+squeeze1.dsc
 4f7595f9b80b0b5f8429eab837c8591fb1b85d48 3275 pigz_2.1.6-1+squeeze1.diff.gz
 1445f01f9a30833dc71e7246cd905e2b996622d3 34468 pigz_2.1.6-1+squeeze1_amd64.deb
Checksums-Sha256: 
 6c3a123700b06a1dc972f5897e545f098c7129585042305b143218cac71b90b8 985 pigz_2.1.6-1+squeeze1.dsc
 a533946ae359f57b56fcb9240960439b5d5b11a00ea5bb53d2cfd64fc4b25449 3275 pigz_2.1.6-1+squeeze1.diff.gz
 2957b43b6b013788c0b8907d96872a12a2f1d92772c1cbe67f8524e8b47c4e8f 34468 pigz_2.1.6-1+squeeze1_amd64.deb
Files: 
 afa5fd8e9a2f4a5a8692c21ec46da4a3 985 utils extra pigz_2.1.6-1+squeeze1.dsc
 c24010228559a5a58c994e8fae6cdf10 3275 utils extra pigz_2.1.6-1+squeeze1.diff.gz
 31083fea056b474e8e7f87385f5ea0c8 34468 utils extra pigz_2.1.6-1+squeeze1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFRTuTr4QZIHu3wCMURArFEAJ9vq7UetGLUF+/rzKzpv/L/waZkRQCfW8tL
joM7meUOKnFtMFGehJH5LpM=
=yOZ5
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 02 Jun 2013 07:32:45 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 15:18:10 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.