Debian Bug report logs -
#700608
pigz creates temp files with too wide permissions (CVE-2013-0296)
Reported by: Michael Tokarev <mjt@tls.msk.ru>
Date: Fri, 15 Feb 2013 08:33:01 UTC
Severity: serious
Tags: patch, security
Found in versions pigz/2.2.4-1, pigz/2.1.6-1
Fixed in versions pigz/2.2.4-2, pigz/2.1.6-1+squeeze1
Done: Eduard Bloch <blade@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Eduard Bloch <blade@debian.org>:
Bug#700608; Package pigz.
(Fri, 15 Feb 2013 08:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Tokarev <mjt@tls.msk.ru>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Eduard Bloch <blade@debian.org>.
(Fri, 15 Feb 2013 08:33:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: pigz
Version: 2.2.4-1
Severity: serious
Tags: security
When asked to compress a file with restricted permissions (like
mode 0600), the .gz file pigz creates while doing this has
usual mode derived from umask (like 0644). If the file is
large enough (and why we would use pigz instead of gzip for
small files), this results in the original content being
readable for everyone until the compression finishes.
Here's the deal:
$ fallocate -l 1G foo
$ chmod 0600 foo
$ pigz foo &
$ ls -l foo foo.gz
-rw------- 1 mjt mjt 1073741824 Фев 15 12:27 foo
-rw-rw-r-- 1 mjt mjt 502516 Фев 15 12:27 foo.gz
When it finishes, it correctly applies original file permissions
to the newly created file, but it is already waaay too late.
Other one-file archivers (gzip, xz, bzip2, ...) usually create
the temp file with very strict permissions first, and change it
to the right perms only when done, so only the current user can
read it.
It looks like this bug deserves a CVE#.
Thanks,
/mjt
Information forwarded
to debian-bugs-dist@lists.debian.org, Eduard Bloch <blade@debian.org>:
Bug#700608; Package pigz.
(Sat, 16 Feb 2013 07:18:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Eduard Bloch <blade@debian.org>.
(Sat, 16 Feb 2013 07:18:03 GMT) (full text, mbox, link).
Message #10 received at 700608@bugs.debian.org (full text, mbox, reply):
Control: retitle -1 CVE-2013-0296: pigz creates temp files with too wide permissions
Hi
On Fri, Feb 15, 2013 at 12:30:09PM +0400, Michael Tokarev wrote:
> When asked to compress a file with restricted permissions (like
> mode 0600), the .gz file pigz creates while doing this has
> usual mode derived from umask (like 0644). If the file is
> large enough (and why we would use pigz instead of gzip for
> small files), this results in the original content being
> readable for everyone until the compression finishes.
>
> Here's the deal:
>
> $ fallocate -l 1G foo
> $ chmod 0600 foo
> $ pigz foo &
> $ ls -l foo foo.gz
> -rw------- 1 mjt mjt 1073741824 ?????? 15 12:27 foo
> -rw-rw-r-- 1 mjt mjt 502516 ?????? 15 12:27 foo.gz
>
> When it finishes, it correctly applies original file permissions
> to the newly created file, but it is already waaay too late.
>
> Other one-file archivers (gzip, xz, bzip2, ...) usually create
> the temp file with very strict permissions first, and change it
> to the right perms only when done, so only the current user can
> read it.
>
> It looks like this bug deserves a CVE#.
A CVE was assigned to this now[1]: CVE-2013-0296. Could you please
include the CVE in your changelog when fixing the issue?
[1]: http://marc.info/?l=oss-security&m=136099644815551&w=2
Regards,
Salvatore
Changed Bug title to 'CVE-2013-0296: pigz creates temp files with too wide permissions' from 'pigz creates temp files with too wide permissions'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 700608-submit@bugs.debian.org.
(Sat, 16 Feb 2013 07:18:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Eduard Bloch <blade@debian.org>:
Bug#700608; Package pigz.
(Sat, 16 Feb 2013 07:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Tokarev <mjt@tls.msk.ru>:
Extra info received and forwarded to list. Copy sent to Eduard Bloch <blade@debian.org>.
(Sat, 16 Feb 2013 07:21:04 GMT) (full text, mbox, link).
Message #17 received at 700608@bugs.debian.org (full text, mbox, reply):
Control: retitle -1 pigz creates temp files with too wide permissions (CVE-2013-0296)
This issue has been assigned CVE-2013-0296.
Thanks,
/mjt
Changed Bug title to 'pigz creates temp files with too wide permissions (CVE-2013-0296)' from 'CVE-2013-0296: pigz creates temp files with too wide permissions'
Request was from Michael Tokarev <mjt@tls.msk.ru>
to 700608-submit@bugs.debian.org.
(Sat, 16 Feb 2013 07:21:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Eduard Bloch <blade@debian.org>:
Bug#700608; Package pigz.
(Sat, 16 Feb 2013 08:21:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Tokarev <mjt@tls.msk.ru>:
Extra info received and forwarded to list. Copy sent to Eduard Bloch <blade@debian.org>.
(Sat, 16 Feb 2013 08:21:02 GMT) (full text, mbox, link).
Message #24 received at 700608@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tag -1 + patch
The attached patch fixes the issue. It uses st.st_mode as a base
when creating a new file (falling back to usual 0666 when dealing
with stdin). It also uses the same stat attributes as used when
creating the file.
One more thing which is good to have here (it is also potential
security issue) is to use fchmod/fchown/etc instead of chmod/chown/etc,
due to possible symlink tricks, but this might be a bit more changes
than needed for the main fix.
Thanks,
/mjt
[pigz-CVE-2013-0296.diff (text/x-patch, attachment)]
Added tag(s) patch.
Request was from Michael Tokarev <mjt@tls.msk.ru>
to 700608-submit@bugs.debian.org.
(Sat, 16 Feb 2013 08:21:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Eduard Bloch <blade@debian.org>:
Bug#700608; Package pigz.
(Sat, 16 Feb 2013 08:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Tokarev <mjt@tls.msk.ru>:
Extra info received and forwarded to list. Copy sent to Eduard Bloch <blade@debian.org>.
(Sat, 16 Feb 2013 08:27:03 GMT) (full text, mbox, link).
Message #31 received at 700608@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
16.02.2013 12:18, Michael Tokarev wrote:
> Control: tag -1 + patch
>
> The attached patch fixes the issue. It uses st.st_mode as a base
> when creating a new file (falling back to usual 0666 when dealing
> with stdin). It also uses the same stat attributes as used when
> creating the file.
And attached is a really minimal fix, which does not touch copymeta(),
but uses the same st.st_mode "trick" isntead of using 0666 directly.
For reference: this is all about http://bugs.debian.org/700608 aka
CVE-2013-0296.
Thanks,
/mjt
[pigz-CVE-2013-0296-mini.diff (text/x-patch, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Eduard Bloch <blade@debian.org>:
Bug#700608; Package pigz.
(Sun, 17 Feb 2013 10:42:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Ivo De Decker <ivo.dedecker@ugent.be>:
Extra info received and forwarded to list. Copy sent to Eduard Bloch <blade@debian.org>.
(Sun, 17 Feb 2013 10:42:03 GMT) (full text, mbox, link).
Message #36 received at 700608@bugs.debian.org (full text, mbox, reply):
Control: found -1 2.1.6-1
Hi,
This issue also exists in squeeze.
Cheers,
Ivo
Marked as found in versions pigz/2.1.6-1.
Request was from Ivo De Decker <ivo.dedecker@ugent.be>
to 700608-submit@bugs.debian.org.
(Sun, 17 Feb 2013 10:42:04 GMT) (full text, mbox, link).
Reply sent
to Eduard Bloch <blade@debian.org>:
You have taken responsibility.
(Sat, 23 Feb 2013 20:51:04 GMT) (full text, mbox, link).
Notification sent
to Michael Tokarev <mjt@tls.msk.ru>:
Bug acknowledged by developer.
(Sat, 23 Feb 2013 20:51:04 GMT) (full text, mbox, link).
Message #43 received at 700608-close@bugs.debian.org (full text, mbox, reply):
Source: pigz
Source-Version: 2.2.4-2
We believe that the bug you reported is fixed in the latest version of
pigz, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 700608@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Eduard Bloch <blade@debian.org> (supplier of updated pigz package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 23 Feb 2013 13:44:42 +0100
Source: pigz
Binary: pigz
Architecture: source amd64
Version: 2.2.4-2
Distribution: unstable
Urgency: high
Maintainer: Eduard Bloch <blade@debian.org>
Changed-By: Eduard Bloch <blade@debian.org>
Description:
pigz - Parallel Implementation of GZip
Closes: 700608
Changes:
pigz (2.2.4-2) unstable; urgency=high
.
* Use 600 permissions for unfinished output files (CVE-2013-0296,
closes: #700608)
* started applying Debian hardening flags
Checksums-Sha1:
e45f3818f029a5b067b06f0f6c7a95d94e5e891a 1012 pigz_2.2.4-2.dsc
0744f48ff7bc4d15741ce2f8a1716694d62c0f8f 2888 pigz_2.2.4-2.debian.tar.xz
8f69e0d472d866aa695492440167a02f7876fc7c 34908 pigz_2.2.4-2_amd64.deb
Checksums-Sha256:
ae471af43db6eb7d76cd5aca11b1a7c0c22bbfc54b4ebd5144b12634192302da 1012 pigz_2.2.4-2.dsc
677cdbdf4148cdc89ff512d2bfee0a6616f725a4a757d53a8d8f54a35b0ef99d 2888 pigz_2.2.4-2.debian.tar.xz
5c3677e819caf7ef14f352a45c5f1441649b8440dfc02f7f47af9beaa65c8605 34908 pigz_2.2.4-2_amd64.deb
Files:
40600b6811d234d8d6453e29019bc2cd 1012 utils extra pigz_2.2.4-2.dsc
7aab96c9299529e925e00bb83b2e49bc 2888 utils extra pigz_2.2.4-2.debian.tar.xz
1aa0bf2546afda6364edebd3a717a599 34908 utils extra pigz_2.2.4-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFRKL9Y4QZIHu3wCMURApY+AJkB9Qzyux79we+hynQkikdz+oQoFACcDgsl
eAtzkMSSs6rtfJePgweFAtE=
=/1A1
-----END PGP SIGNATURE-----
Reply sent
to Eduard Bloch <blade@debian.org>:
You have taken responsibility.
(Fri, 12 Apr 2013 18:06:05 GMT) (full text, mbox, link).
Notification sent
to Michael Tokarev <mjt@tls.msk.ru>:
Bug acknowledged by developer.
(Fri, 12 Apr 2013 18:06:05 GMT) (full text, mbox, link).
Message #48 received at 700608-close@bugs.debian.org (full text, mbox, reply):
Source: pigz
Source-Version: 2.1.6-1+squeeze1
We believe that the bug you reported is fixed in the latest version of
pigz, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 700608@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Eduard Bloch <blade@debian.org> (supplier of updated pigz package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 23 Feb 2013 21:46:31 +0100
Source: pigz
Binary: pigz
Architecture: source amd64
Version: 2.1.6-1+squeeze1
Distribution: stable
Urgency: high
Maintainer: Eduard Bloch <blade@debian.org>
Changed-By: Eduard Bloch <blade@debian.org>
Description:
pigz - Parallel Implementation of GZip
Closes: 700608
Changes:
pigz (2.1.6-1+squeeze1) stable; urgency=high
.
* Use 600 permissions for unfinished output files (CVE-2013-0296,
closes: #700608)
Checksums-Sha1:
947f55875a684d0d5e450783d3e9a0bd20d77500 985 pigz_2.1.6-1+squeeze1.dsc
4f7595f9b80b0b5f8429eab837c8591fb1b85d48 3275 pigz_2.1.6-1+squeeze1.diff.gz
1445f01f9a30833dc71e7246cd905e2b996622d3 34468 pigz_2.1.6-1+squeeze1_amd64.deb
Checksums-Sha256:
6c3a123700b06a1dc972f5897e545f098c7129585042305b143218cac71b90b8 985 pigz_2.1.6-1+squeeze1.dsc
a533946ae359f57b56fcb9240960439b5d5b11a00ea5bb53d2cfd64fc4b25449 3275 pigz_2.1.6-1+squeeze1.diff.gz
2957b43b6b013788c0b8907d96872a12a2f1d92772c1cbe67f8524e8b47c4e8f 34468 pigz_2.1.6-1+squeeze1_amd64.deb
Files:
afa5fd8e9a2f4a5a8692c21ec46da4a3 985 utils extra pigz_2.1.6-1+squeeze1.dsc
c24010228559a5a58c994e8fae6cdf10 3275 utils extra pigz_2.1.6-1+squeeze1.diff.gz
31083fea056b474e8e7f87385f5ea0c8 34468 utils extra pigz_2.1.6-1+squeeze1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFRTuTr4QZIHu3wCMURArFEAJ9vq7UetGLUF+/rzKzpv/L/waZkRQCfW8tL
joM7meUOKnFtMFGehJH5LpM=
=yOZ5
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 02 Jun 2013 07:32:45 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:09:41 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon