Debian Bug report logs -
#775306
pxz: CVE-2015-1200: race condition in setting permissions
Reported by: Alexander Cherepanov <cherepan@mccme.ru>
Date: Tue, 13 Jan 2015 21:45:01 UTC
Severity: important
Tags: security
Found in version pxz/4.999.99~beta3+git659fc9b-2
Fixed in version pxz/4.999.99~beta3+git659fc9b-3
Done: Holger Levsen <holger@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Holger Levsen <holger@debian.org>:
Bug#775306; Package pxz.
(Tue, 13 Jan 2015 21:45:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Alexander Cherepanov <cherepan@mccme.ru>:
New Bug report received and forwarded. Copy sent to Holger Levsen <holger@debian.org>.
(Tue, 13 Jan 2015 21:45:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: pxz
Version: 4.999.99~beta3+git659fc9b-2
Tags: security
pxz sets the mode of an output file to be the same as the one of an
input file but does it only after compression is over. This leaves the
output file with the wrong mode during all the time of the compression
process.
Illustration:
$ truncate -s 1G foo
$ chmod 600 foo
$ pxz foo &
[1] 9240
$ ls -l foo.xz
-rw-r--r-- 1 user user 0 Jan 14 00:33 foo.xz
$ wait %
[1]+ Done pxz foo
$ ls -l foo.xz
-rw------- 1 user user 161976 Jan 14 00:33 foo.xz
The issue is similar to
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0296 .
--
Alexander Cherepanov
Information forwarded
to debian-bugs-dist@lists.debian.org, Holger Levsen <holger@debian.org>:
Bug#775306; Package pxz.
(Wed, 14 Jan 2015 04:27:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Holger Levsen <holger@layer-acht.org>:
Extra info received and forwarded to list. Copy sent to Holger Levsen <holger@debian.org>.
(Wed, 14 Jan 2015 04:27:08 GMT) (full text, mbox, link).
Message #10 received at 775306@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
control: severity -1 important
Hi Alexander,
On Dienstag, 13. Januar 2015, Alexander Cherepanov wrote:
> pxz sets the mode of an output file to be the same as the one of an
> input file but does it only after compression is over. This leaves the
> output file with the wrong mode during all the time of the compression
> process.
thanks for the bug report! Could you maybe come up with a patch?
cheers,
Holger
[signature.asc (application/pgp-signature, inline)]
Severity set to 'important' from 'normal'
Request was from Holger Levsen <holger@layer-acht.org>
to 775306-submit@bugs.debian.org.
(Wed, 14 Jan 2015 04:27:08 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Holger Levsen <holger@debian.org>:
Bug#775306; Package pxz.
(Sun, 18 Jan 2015 20:48:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Holger Levsen <holger@debian.org>.
(Sun, 18 Jan 2015 20:48:04 GMT) (full text, mbox, link).
Message #17 received at 775306@bugs.debian.org (full text, mbox, reply):
Control: retitle -1 pxz: CVE-2015-1200: race condition in setting permissions
Hi
This has been assigned CVE-2015-1200 by MITRE.
Regards,
Salvatore
Changed Bug title to 'pxz: CVE-2015-1200: race condition in setting permissions' from 'pxz: race condition in setting permissions on output file'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 775306-submit@bugs.debian.org.
(Sun, 18 Jan 2015 20:48:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Holger Levsen <holger@debian.org>:
Bug#775306; Package pxz.
(Mon, 26 Jan 2015 19:03:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Holger Levsen <holger@debian.org>.
(Mon, 26 Jan 2015 19:03:09 GMT) (full text, mbox, link).
Message #24 received at 775306@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Wed, Jan 14, 2015 at 05:25:02AM +0100, Holger Levsen wrote:
> control: severity -1 important
>
> Hi Alexander,
>
> On Dienstag, 13. Januar 2015, Alexander Cherepanov wrote:
> > pxz sets the mode of an output file to be the same as the one of an
> > input file but does it only after compression is over. This leaves the
> > output file with the wrong mode during all the time of the compression
> > process.
>
> thanks for the bug report! Could you maybe come up with a patch?
Patch attached, can you take care of an upload and unblock with
the release team?
Cheers,
Moritz
[CVE-2015-1200.patch (text/x-diff, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Holger Levsen <holger@debian.org>:
Bug#775306; Package pxz.
(Mon, 26 Jan 2015 19:27:15 GMT) (full text, mbox, link).
Acknowledgement sent
to Holger Levsen <holger@layer-acht.org>:
Extra info received and forwarded to list. Copy sent to Holger Levsen <holger@debian.org>.
(Mon, 26 Jan 2015 19:27:15 GMT) (full text, mbox, link).
Message #29 received at 775306@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Moritz,
On Montag, 26. Januar 2015, Moritz Mühlenhoff wrote:
> Patch attached, can you take care of an upload and unblock with
> the release team?
thanks for the patch, can do!
cheers,
Holger
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Holger Levsen <holger@debian.org>:
You have taken responsibility.
(Tue, 27 Jan 2015 12:36:05 GMT) (full text, mbox, link).
Notification sent
to Alexander Cherepanov <cherepan@mccme.ru>:
Bug acknowledged by developer.
(Tue, 27 Jan 2015 12:36:05 GMT) (full text, mbox, link).
Message #34 received at 775306-close@bugs.debian.org (full text, mbox, reply):
Source: pxz
Source-Version: 4.999.99~beta3+git659fc9b-3
We believe that the bug you reported is fixed in the latest version of
pxz, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 775306@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Holger Levsen <holger@debian.org> (supplier of updated pxz package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 27 Jan 2015 12:34:37 +0100
Source: pxz
Binary: pxz
Architecture: source amd64
Version: 4.999.99~beta3+git659fc9b-3
Distribution: unstable
Urgency: medium
Maintainer: Holger Levsen <holger@debian.org>
Changed-By: Holger Levsen <holger@debian.org>
Description:
pxz - parallel LZMA compressor using liblzma
Closes: 775306
Changes:
pxz (4.999.99~beta3+git659fc9b-3) unstable; urgency=medium
.
* CVE-2015-1200: Fix race condition in setting permissions. Thanks to
Moritz Mühlenhoff for the patch. (Closes: #775306)
Checksums-Sha1:
468f4f4416df623a14a82614a6d176a4228f26e1 1936 pxz_4.999.99~beta3+git659fc9b-3.dsc
30f7e3fc5f95269b8dcefbd031930af36c8ec57e 2772 pxz_4.999.99~beta3+git659fc9b-3.debian.tar.xz
cd5dc7783750e89c996c494d4ca448094df4e1ff 9524 pxz_4.999.99~beta3+git659fc9b-3_amd64.deb
Checksums-Sha256:
d8107b7e874fc4fab69b808c1c26765de56e8a7d29a2c076db613cb8afaea1b8 1936 pxz_4.999.99~beta3+git659fc9b-3.dsc
af5152dc2d63da17f41640ce47638155d793f687fd557e4851aa7760fd376dd2 2772 pxz_4.999.99~beta3+git659fc9b-3.debian.tar.xz
98b8588e9919ab8e9e425e44306683f553e3df122c7a66a77fd7c1daed15ddb9 9524 pxz_4.999.99~beta3+git659fc9b-3_amd64.deb
Files:
282d9dc02fab1f422c1b2c71292d3e87 1936 misc optional pxz_4.999.99~beta3+git659fc9b-3.dsc
0c5b5a634fffeb182feb7c3bc73ba6cb 2772 misc optional pxz_4.999.99~beta3+git659fc9b-3.debian.tar.xz
c954ead13db388d76715732910e3b464 9524 misc optional pxz_4.999.99~beta3+git659fc9b-3_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIVAwUBVMeEdgkauFYGmqocAQpEPA//RK/j+4CfCIhtR4aZ5yfHeSxxlogEXcD5
WHAlhai7UB7S1sUTrOsoOZeVbYDwH/Pmx3wC6wiuT3OzmRMOhNGhtkKJtOt5KMw/
NYA9GIEMhKDIpmneXJlwRHrsvH4LNc9T2oSinB7FEPseUlduuFixUz0Q9FrS4muT
Fjm4LOrisa5FCHAFzl0YD37Zz1XTsjIk3fmhdQ+QT3o90QjpmrVmCvdJFKhkA9AF
dP0yV2C7I0EQAuxmrq2oUFWWbly7KFY0wyVCxOumPEujSTeaLpof4qeHDQWcFvAy
Q+v5LGqMXWhl6BDCgR/zd2wfgx1YMmVpbVXVtY83yKOdh42tdFajgWlvPxD2WNnV
wwKZ5+S3lagXvqlLtVozxLxxJN6fdlOO+TfBm566eJhA+mEEYYoJock0gbBdbAuw
MvvSsB0WU1WsmBV2shXcJJ345w53+NU9aCSVEYCZiD7R7eEyOB6WUpIzYAO/L8yY
/XkpgyYL5sTo0exk2BAr+RLXfny30nQpDmNcdj4apXF/JPg09xz4mNnvCB7iovXw
+IYBveweQ95goc+HbWu9N1hh7EJ1ssorU+x+YUbRiPxoFIjtyBgHzzlYEM60SZlU
yskDZ5YQk2KWiKjriIj2DfZ7JRBlm47W/pHzaF8hBFsW2xXfGTVZ9uLrFMB/ShIr
qibWz0V0+Z4=
=XpPH
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 07 Mar 2015 07:26:04 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:20:27 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon