Debian Bug report logs -
#632862
insecure temporary file creation (bzexe)
Reported by: vladz <vladz@devzero.fr>
Date: Wed, 6 Jul 2011 15:21:02 UTC
Severity: normal
Tags: security
Found in version bzip2/1.0.5-6
Fixed in versions bzip2/1.0.6-1, bzip2/1.0.5-6+squeeze1
Done: Moritz Muehlenhoff <jmm@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>
:
Bug#632862
; Package bzip2
.
(Wed, 06 Jul 2011 15:21:05 GMT) (full text, mbox, link).
Acknowledgement sent
to vladz <vladz@devzero.fr>
:
New Bug report received and forwarded. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>
.
(Wed, 06 Jul 2011 15:21:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: bzip2
Version: 1.0.5-6
Tags: security
This issue affects every binaries compressed with the /bin/bzexe
utility.
$ cat -n /bin/bzexe
[...]
128 if /bin/ln $tmpfile "/tmp/$prog" 2>/dev/null; then
129 trap '/bin/rm -f $tmpfile "/tmp/$prog"; exit $res' 0
130 (/bin/sleep 5; /bin/rm -f $tmpfile "/tmp/$prog") 2>/dev/null &
131 /tmp/"$prog" ${1+"$@"}; res=$?
[...]
While a binary uncompress itself, it creates a temporary file
"/tmp/$prog" in an insecure manner (line #128). Indeed, if "/tmp/$prog"
already exists AND is a directory controlled by someone else, hard link
creation won't fail and "/tmp/$prog" will be executed (line 131). In
some cases, usage of race condition can lead to a root exploit.
At line #128, I would suggest to use the "-T" option instead:
/bin/ln -T $tmpfile "/tmp/$prog"
I'm using Debian 6.0.2, kernel 2.6.32-5-amd64, libc6 2.11.2-10.
--
http://vladz.devzero.fr
PGP key 8F7E2D3C from pgp.mit.edu
Information forwarded
to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>
:
Bug#632862
; Package bzip2
.
(Thu, 27 Oct 2011 16:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Benjamin Renaut <benml@tokidev.fr>
:
Extra info received and forwarded to list. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>
.
(Thu, 27 Oct 2011 16:45:03 GMT) (full text, mbox, link).
Message #10 received at 632862@bugs.debian.org (full text, mbox, reply):
Confirmed - same behaviour here (Debian 6.0.3, amd64, bzip2 1.0.5-6).
A - rough and hastily done - proof of concept exploiting the
vulnerability: http://pastebin.com/FaaEsXRW
I can confirm that using the -T flag fixes this.
Note that the security impact is probably quite low, as bzexe seems to
be rarely used.
Reply sent
to Anibal Monsalve Salazar <anibal@debian.org>
:
You have taken responsibility.
(Sun, 04 Dec 2011 09:36:12 GMT) (full text, mbox, link).
Notification sent
to vladz <vladz@devzero.fr>
:
Bug acknowledged by developer.
(Sun, 04 Dec 2011 09:36:15 GMT) (full text, mbox, link).
Message #15 received at 632862-close@bugs.debian.org (full text, mbox, reply):
Source: bzip2
Source-Version: 1.0.6-1
We believe that the bug you reported is fixed in the latest version of
bzip2, which is due to be installed in the Debian FTP archive:
bzip2-doc_1.0.6-1_all.deb
to main/b/bzip2/bzip2-doc_1.0.6-1_all.deb
bzip2_1.0.6-1.debian.tar.bz2
to main/b/bzip2/bzip2_1.0.6-1.debian.tar.bz2
bzip2_1.0.6-1.dsc
to main/b/bzip2/bzip2_1.0.6-1.dsc
bzip2_1.0.6-1_mipsel.deb
to main/b/bzip2/bzip2_1.0.6-1_mipsel.deb
bzip2_1.0.6.orig.tar.bz2
to main/b/bzip2/bzip2_1.0.6.orig.tar.bz2
libbz2-1.0_1.0.6-1_mipsel.deb
to main/b/bzip2/libbz2-1.0_1.0.6-1_mipsel.deb
libbz2-dev_1.0.6-1_mipsel.deb
to main/b/bzip2/libbz2-dev_1.0.6-1_mipsel.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 632862@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Anibal Monsalve Salazar <anibal@debian.org> (supplier of updated bzip2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 04 Dec 2011 19:51:51 +1100
Source: bzip2
Binary: libbz2-1.0 libbz2-dev bzip2 lib64bz2-1.0 lib64bz2-dev lib32bz2-1.0 lib32bz2-dev bzip2-doc
Architecture: source all mipsel
Version: 1.0.6-1
Distribution: unstable
Urgency: low
Maintainer: Anibal Monsalve Salazar <anibal@debian.org>
Changed-By: Anibal Monsalve Salazar <anibal@debian.org>
Description:
bzip2 - high-quality block-sorting file compressor - utilities
bzip2-doc - high-quality block-sorting file compressor - documentation
lib32bz2-1.0 - high-quality block-sorting file compressor library - 32bit runtim
lib32bz2-dev - high-quality block-sorting file compressor library - 32bit develo
lib64bz2-1.0 - high-quality block-sorting file compressor library - 64bit runtim
lib64bz2-dev - high-quality block-sorting file compressor library - 64bit develo
libbz2-1.0 - high-quality block-sorting file compressor library - runtime
libbz2-dev - high-quality block-sorting file compressor library - development
Closes: 619797 632862 646972
Changes:
bzip2 (1.0.6-1) unstable; urgency=low
.
* New upstream version 1.0.6
* Debian source format is 3.0 (quilt)
* Fix "insecure temporary file creation (bzexe)"
Patch by vladz
Closes: 632862
* Compress changelogs with the -n option
Closes: 646972
* Update debian/copyright
Closes: 619797
Checksums-Sha1:
fbeff4b547e64c88193a0c938ca038974c93e0aa 2391 bzip2_1.0.6-1.dsc
3725a0554fa6bb654ef2728fef36bc06aed4e388 708737 bzip2_1.0.6.orig.tar.bz2
4431467d18fdd1469f5cfbb382bedc8c083479d5 57827 bzip2_1.0.6-1.debian.tar.bz2
0e8b41ea783c8c20781771ea8ac226a754721a0c 304498 bzip2-doc_1.0.6-1_all.deb
934d29f490e8d02be3ee227d065b3b2f9b6bc699 48598 libbz2-1.0_1.0.6-1_mipsel.deb
2de3bff19c76fe1b1e68ec8616ce89031a9f3d53 37230 libbz2-dev_1.0.6-1_mipsel.deb
850c7a76df4d8b061fe7b5ee115c5f5bf4b209bf 49480 bzip2_1.0.6-1_mipsel.deb
Checksums-Sha256:
f3473142ae75b713d57396ba35f7545ec7ccaaf5ba113edc11407246a658b3b3 2391 bzip2_1.0.6-1.dsc
d70a9ccd8bdf47e302d96c69fecd54925f45d9c7b966bb4ef5f56b770960afa7 708737 bzip2_1.0.6.orig.tar.bz2
32064ac5ac92d11ec20c342c263c1734824a14690e31dc8c845db83a2cb06d48 57827 bzip2_1.0.6-1.debian.tar.bz2
e7e11272826646d73333c6d4135fd464737048faccc9b1ff5afb315d987b54f6 304498 bzip2-doc_1.0.6-1_all.deb
e5884feb87b03c33ebda65107c64ff336a41e85271f3889820a3ceb423d354d9 48598 libbz2-1.0_1.0.6-1_mipsel.deb
dc3b669df5ec3cef0c46b7182b543265768e70146127e8fdec0090cff3917de6 37230 libbz2-dev_1.0.6-1_mipsel.deb
93400dfe59cf50f8a873747550ff89bc989acdb2a7d3109991dfa7be476b3614 49480 bzip2_1.0.6-1_mipsel.deb
Files:
5dc795a3163c0940b2a7de1a7e3878d3 2391 utils important bzip2_1.0.6-1.dsc
2a1df12bd405cc86790291797673753c 708737 utils important bzip2_1.0.6.orig.tar.bz2
55058bbb43ee96a3a6514475c726f854 57827 utils important bzip2_1.0.6-1.debian.tar.bz2
9dca06aaeca139b8f138e3100213135b 304498 doc optional bzip2-doc_1.0.6-1_all.deb
932370b056e2d12325fc17fcdf2e5f4b 48598 libs important libbz2-1.0_1.0.6-1_mipsel.deb
ba5c4de72c64886f2ef8bbb670123f46 37230 libdevel optional libbz2-dev_1.0.6-1_mipsel.deb
015389df2b93877517ecd405b366ccff 49480 utils optional bzip2_1.0.6-1_mipsel.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAEBCAAGBQJO2zqPAAoJEHxWrP6UeJfYf9gQAI/UbZHFkN/NoCTw/Xb5yL8S
jc34CoFMX2372Ujace6yTrLvnv5BfJ1NSH2ufs7sOBgqpDJRKaKh4DjXbY/puyib
CpMuBsiDKAOKVsb0glIXd59aArl8DX1X6EnJUZ4/2C7ilP9z6HQcZutn9pt0QhKz
4DezOVjc1lhnQVVXc+r3alW/xRbskjoM+poq7kCTWpF8aKOiawfzliG6ZWiUNvCq
HZAiI/H3YoATsBeX/AtkNoQuySTZwx5nmyLkORZCvXck7sqzifqgj4oRU7+Ed1wF
3dE3voLOrVg9b5xZ5BoaFmaqboZ5H+en747TMkHtA1Pb74dUAQFoCOZ/fsKooEIp
/jb+X3M5tMo4P/5OFecCEbPN6h5O+13fN4IBFJhO1JNDsFXx+vRy6qZFiXoAj7vC
ppGuhm88eAQtHDKWigGdxgHkWuAASNBHr+RbWnLpbPvkQk6gLZHtWtKgVtpJMwOR
fUzKCSZKDeB1+sewf8scZJO7LYTFz+qzFJN3d4VCK4BVBO1kahxpVlsyHXoiQPR0
/L3iPaFY2jfgDQkZZO5NPjtOPphYIwsmbSWYGbqNq/+X/RpEm5Rwp2BdW+8f+Q2I
3oZMiaI4VXrwqpysv0KHHGGaEFZC6YAi3zB25A3mQDpfaXyyR8GTx3kQPL5d8xha
gaYNZCXTg2wlCFuzZMRd
=/yUu
-----END PGP SIGNATURE-----
Reply sent
to Moritz Muehlenhoff <jmm@debian.org>
:
You have taken responsibility.
(Tue, 27 Dec 2011 01:57:04 GMT) (full text, mbox, link).
Notification sent
to vladz <vladz@devzero.fr>
:
Bug acknowledged by developer.
(Tue, 27 Dec 2011 01:57:04 GMT) (full text, mbox, link).
Message #20 received at 632862-close@bugs.debian.org (full text, mbox, reply):
Source: bzip2
Source-Version: 1.0.5-6+squeeze1
We believe that the bug you reported is fixed in the latest version of
bzip2, which is due to be installed in the Debian FTP archive:
bzip2-doc_1.0.5-6+squeeze1_all.deb
to main/b/bzip2/bzip2-doc_1.0.5-6+squeeze1_all.deb
bzip2_1.0.5-6+squeeze1.diff.gz
to main/b/bzip2/bzip2_1.0.5-6+squeeze1.diff.gz
bzip2_1.0.5-6+squeeze1.dsc
to main/b/bzip2/bzip2_1.0.5-6+squeeze1.dsc
bzip2_1.0.5-6+squeeze1_amd64.deb
to main/b/bzip2/bzip2_1.0.5-6+squeeze1_amd64.deb
lib32bz2-1.0_1.0.5-6+squeeze1_amd64.deb
to main/b/bzip2/lib32bz2-1.0_1.0.5-6+squeeze1_amd64.deb
lib32bz2-dev_1.0.5-6+squeeze1_amd64.deb
to main/b/bzip2/lib32bz2-dev_1.0.5-6+squeeze1_amd64.deb
libbz2-1.0_1.0.5-6+squeeze1_amd64.deb
to main/b/bzip2/libbz2-1.0_1.0.5-6+squeeze1_amd64.deb
libbz2-dev_1.0.5-6+squeeze1_amd64.deb
to main/b/bzip2/libbz2-dev_1.0.5-6+squeeze1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 632862@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Moritz Muehlenhoff <jmm@debian.org> (supplier of updated bzip2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 26 Dec 2011 11:39:27 +0000
Source: bzip2
Binary: libbz2-1.0 libbz2-dev bzip2 lib64bz2-1.0 lib64bz2-dev lib32bz2-1.0 lib32bz2-dev bzip2-doc
Architecture: source all amd64
Version: 1.0.5-6+squeeze1
Distribution: stable
Urgency: low
Maintainer: Anibal Monsalve Salazar <anibal@debian.org>
Changed-By: Moritz Muehlenhoff <jmm@debian.org>
Description:
bzip2 - high-quality block-sorting file compressor - utilities
bzip2-doc - high-quality block-sorting file compressor - documentation
lib32bz2-1.0 - high-quality block-sorting file compressor library - 32bit runtim
lib32bz2-dev - high-quality block-sorting file compressor library - 32bit develo
lib64bz2-1.0 - high-quality block-sorting file compressor library - 64bit runtim
lib64bz2-dev - high-quality block-sorting file compressor library - 64bit develo
libbz2-1.0 - high-quality block-sorting file compressor library - runtime
libbz2-dev - high-quality block-sorting file compressor library - development
Closes: 632862
Changes:
bzip2 (1.0.5-6+squeeze1) stable; urgency=low
.
* Non-maintainer upload by the Security Team
* Fix CVE-2011-4089, thanks to vladz (Closes: #632862)
Checksums-Sha1:
125f45a9d5aa7019cea6ba74d20d1972e4b37de9 1459 bzip2_1.0.5-6+squeeze1.dsc
8f64c89f9d3a76a9129da75ab27857efa6866876 77623 bzip2_1.0.5-6+squeeze1.diff.gz
02b69401121a634e4366c14b2d6d66941382f0fa 329076 bzip2-doc_1.0.5-6+squeeze1_all.deb
9bee2e0423663f153570f4b2e3c58d0e29942e52 46290 libbz2-1.0_1.0.5-6+squeeze1_amd64.deb
5e8a4a4358d1168923fe60000837a9a7de5883ad 33322 libbz2-dev_1.0.5-6+squeeze1_amd64.deb
5819ee2260bb7927e7aab880e0ffc4379c685850 50488 bzip2_1.0.5-6+squeeze1_amd64.deb
1cef8019a5a1458e4432732872fc5200d622ab03 39526 lib32bz2-1.0_1.0.5-6+squeeze1_amd64.deb
b18e2592ac78a55c8fa47be5dbf7eacca22de204 29396 lib32bz2-dev_1.0.5-6+squeeze1_amd64.deb
Checksums-Sha256:
eb713aaf870f234b877ac56ddabfa1c90cf40aaabdebe7fdd4fe7a1d53b690e7 1459 bzip2_1.0.5-6+squeeze1.dsc
05be4e24ed86a70986e48697e00a097d47a236adda38909168b9c75790e8fd02 77623 bzip2_1.0.5-6+squeeze1.diff.gz
39bec7f409caae4b740ada83a770d45565762b3f7c7a70bd039c1a76390702be 329076 bzip2-doc_1.0.5-6+squeeze1_all.deb
6a12ea37b904c1b1aabe9b28f5ac98e039d51f79710d8451e96b00c66f6f3e09 46290 libbz2-1.0_1.0.5-6+squeeze1_amd64.deb
256991bdbc1a4b5b0a565cc2ac504112dd06f836eaf2a785cbb4495e2a8a2309 33322 libbz2-dev_1.0.5-6+squeeze1_amd64.deb
3977e4a95f4ea67df3ba0735f224bcb3cf3c3f335dde4b794933d9505088c140 50488 bzip2_1.0.5-6+squeeze1_amd64.deb
390822eb2226826a45717a9f6b9111b822fbd994970b37a502ebf117c2f8d929 39526 lib32bz2-1.0_1.0.5-6+squeeze1_amd64.deb
e2bd62d3308e32069c8ad7a9be5a815a7deb9185d077c681303ac42fbab24d0c 29396 lib32bz2-dev_1.0.5-6+squeeze1_amd64.deb
Files:
243a6c334f208d70a571e91411bea012 1459 utils important bzip2_1.0.5-6+squeeze1.dsc
622c46862d1e20f86005efe25a5a9dc5 77623 utils important bzip2_1.0.5-6+squeeze1.diff.gz
64d9b5b44a03593e4ed73713653e2a82 329076 doc optional bzip2-doc_1.0.5-6+squeeze1_all.deb
cda360586060b8932219a6ac04c02dfd 46290 libs important libbz2-1.0_1.0.5-6+squeeze1_amd64.deb
aa593ed1ff75a2d7d5af8d69af1b380b 33322 libdevel optional libbz2-dev_1.0.5-6+squeeze1_amd64.deb
2fa84b6bbe71f7a33fb094a249703fd2 50488 utils optional bzip2_1.0.5-6+squeeze1_amd64.deb
e6a42229f69c3dbe8729758505ca3b97 39526 libs optional lib32bz2-1.0_1.0.5-6+squeeze1_amd64.deb
626b3292de4ab8e6db42adde2c094726 29396 libdevel optional lib32bz2-dev_1.0.5-6+squeeze1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk74dYMACgkQXm3vHE4uylrZhACfZMXHl1C3VI4TQX3oeYnMoZaA
V1EAn1uwTrgH3bT0L8580tBteiTNblVy
=XsYM
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Tue, 24 Jan 2012 07:35:15 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:18:10 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.