diff options
Diffstat (limited to 'share/security/advisories/FreeBSD-SA-05:11.gzip.asc')
-rw-r--r-- | share/security/advisories/FreeBSD-SA-05:11.gzip.asc | 132 |
1 files changed, 132 insertions, 0 deletions
diff --git a/share/security/advisories/FreeBSD-SA-05:11.gzip.asc b/share/security/advisories/FreeBSD-SA-05:11.gzip.asc new file mode 100644 index 0000000000..6fd27161b3 --- /dev/null +++ b/share/security/advisories/FreeBSD-SA-05:11.gzip.asc @@ -0,0 +1,132 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + +============================================================================= +FreeBSD-SA-05:11.gzip Security Advisory + The FreeBSD Project + +Topic: gzip directory traversal and permission race vulnerabilities + +Category: contrib +Module: gzip +Announced: 2005-06-09 +Credits: Ulf Harnhammar, Imran Ghory +Affects: All FreeBSD releases +Corrected: 2005-06-08 21:26:27 UTC (RELENG_5, 5.4-STABLE) + 2005-06-08 21:27:44 UTC (RELENG_5_4, 5.4-RELEASE-p2) + 2005-06-08 21:29:15 UTC (RELENG_5_3, 5.3-RELEASE-p16) + 2005-06-08 21:29:53 UTC (RELENG_4, 4.11-STABLE) + 2005-06-08 21:30:43 UTC (RELENG_4_11, 4.11-RELEASE-p10) + 2005-06-08 21:31:16 UTC (RELENG_4_10, 4.10-RELEASE-p15) +CVE Name: CAN-2005-0988, CAN-2005-1228 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit +<URL:http://www.freebsd.org/security/>. + +I. Background + +gzip is a file compression utility. + +II. Problem Description + +Two problems related to extraction of files exist in gzip: + +The first problem is that gzip does not properly sanitize filenames +containing "/" when uncompressing files using the -N command line +option. + +The second problem is that gzip does not set permissions on newly +extracted files until after the file has been created and the file +descriptor has been closed. + +III. Impact + +The first problem can allow an attacker to overwrite arbitrary local +files when uncompressing a file using the -N command line option. + +The second problem can allow a local attacker to change the +permissions of arbitrary local files, on the same partition as the one +the user is uncompressing a file on, by removing the file the user is +uncompressing and replacing it with a hardlink before the uncompress +operation is finished. + +IV. Workaround + +Do not use the -N command line option on untrusted files and do not +uncompress files in directories where untrusted users have write +access. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the +RELENG_5_4, RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch +dated after the correction date. + +2) To patch your present system: + +The following patches have been verified to apply to FreeBSD 4.10, +4.11, 5.3, and 5.4 systems. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:11/gzip.patch +# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:11/gzip.patch.asc + +b) Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch +# cd /usr/src/gnu/usr.bin/gzip +# make obj && make depend && make && make install + +VI. Correction details + +The following list contains the revision numbers of each file that was +corrected in FreeBSD. + +Branch Revision + Path +- ------------------------------------------------------------------------- +RELENG_4 + src/gnu/usr.bin/gzip/gzip.c 1.10.2.1 +RELENG_4_11 + src/UPDATING 1.73.2.91.2.11 + src/sys/conf/newvers.sh 1.44.2.39.2.14 + src/gnu/usr.bin/gzip/gzip.c 1.10.26.1 +RELENG_4_10 + src/UPDATING 1.73.2.90.2.16 + src/sys/conf/newvers.sh 1.44.2.34.2.17 + src/gnu/usr.bin/gzip/gzip.c 1.10.24.1 +RELENG_5 + src/gnu/usr.bin/gzip/gzip.c 1.11.2.1 +RELENG_5_4 + src/UPDATING 1.342.2.24.2.11 + src/sys/conf/newvers.sh 1.62.2.18.2.7 + src/gnu/usr.bin/gzip/gzip.c 1.11.6.1 +RELENG_5_3 + src/UPDATING 1.342.2.13.2.19 + src/sys/conf/newvers.sh 1.62.2.15.2.21 + src/gnu/usr.bin/gzip/gzip.c 1.11.4.1 +- ------------------------------------------------------------------------- + +VII. References + +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0988 +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1228 +http://marc.theaimsgroup.com/?l=bugtraq&m=111271860708210 +http://marc.theaimsgroup.com/?l=bugtraq&m=111402732406477 + +The latest revision of this advisory is available at +ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:11.gzip.asc +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.1 (FreeBSD) + +iD8DBQFCqBbGFdaIBMps37IRAttLAJ41WPmKXczZAZgrBGBP1GorSM7E1gCfc8w9 +KFbns+zs2umrId0mCg1SjVk= +=6MzW +-----END PGP SIGNATURE----- |