Control: retitle -1 CVE-2013-0296: pigz creates temp files with too wide permissions
Hi On Fri, Feb 15, 2013 at 12:30:09PM +0400, Michael Tokarev wrote: > When asked to compress a file with restricted permissions (like > mode 0600), the .gz file pigz creates while doing this has > usual mode derived from umask (like 0644). If the file is > large enough (and why we would use pigz instead of gzip for > small files), this results in the original content being > readable for everyone until the compression finishes. > > Here's the deal: > > $ fallocate -l 1G foo > $ chmod 0600 foo > $ pigz foo & > $ ls -l foo foo.gz > -rw------- 1 mjt mjt 1073741824 ?????? 15 12:27 foo > -rw-rw-r-- 1 mjt mjt 502516 ?????? 15 12:27 foo.gz > > When it finishes, it correctly applies original file permissions > to the newly created file, but it is already waaay too late. > > Other one-file archivers (gzip, xz, bzip2, ...) usually create > the temp file with very strict permissions first, and change it > to the right perms only when done, so only the current user can > read it. > > It looks like this bug deserves a CVE#. A CVE was assigned to this now[1]: CVE-2013-0296. Could you please include the CVE in your changelog when fixing the issue? [1]: http://marc.info/?l=oss-security&m=136099644815551&w=2 Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
