Your message dated Sat, 23 Feb 2013 20:47:36 +0000 with message-id <e1u9m0o-0007hn...@franck.debian.org> and subject line Bug#700608: fixed in pigz 2.2.4-2 has caused the Debian Bug report #700608, regarding pigz creates temp files with too wide permissions (CVE-2013-0296) to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 700608: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700608 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: pigz Version: 2.2.4-1 Severity: serious Tags: security When asked to compress a file with restricted permissions (like mode 0600), the .gz file pigz creates while doing this has usual mode derived from umask (like 0644). If the file is large enough (and why we would use pigz instead of gzip for small files), this results in the original content being readable for everyone until the compression finishes. Here's the deal: $ fallocate -l 1G foo $ chmod 0600 foo $ pigz foo & $ ls -l foo foo.gz -rw------- 1 mjt mjt 1073741824 Фев 15 12:27 foo -rw-rw-r-- 1 mjt mjt 502516 Фев 15 12:27 foo.gz When it finishes, it correctly applies original file permissions to the newly created file, but it is already waaay too late. Other one-file archivers (gzip, xz, bzip2, ...) usually create the temp file with very strict permissions first, and change it to the right perms only when done, so only the current user can read it. It looks like this bug deserves a CVE#. Thanks, /mjt
--- End Message ---
--- Begin Message ---Source: pigz Source-Version: 2.2.4-2 We believe that the bug you reported is fixed in the latest version of pigz, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 700...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Eduard Bloch <bl...@debian.org> (supplier of updated pigz package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Sat, 23 Feb 2013 13:44:42 +0100 Source: pigz Binary: pigz Architecture: source amd64 Version: 2.2.4-2 Distribution: unstable Urgency: high Maintainer: Eduard Bloch <bl...@debian.org> Changed-By: Eduard Bloch <bl...@debian.org> Description: pigz - Parallel Implementation of GZip Closes: 700608 Changes: pigz (2.2.4-2) unstable; urgency=high . * Use 600 permissions for unfinished output files (CVE-2013-0296, closes: #700608) * started applying Debian hardening flags Checksums-Sha1: e45f3818f029a5b067b06f0f6c7a95d94e5e891a 1012 pigz_2.2.4-2.dsc 0744f48ff7bc4d15741ce2f8a1716694d62c0f8f 2888 pigz_2.2.4-2.debian.tar.xz 8f69e0d472d866aa695492440167a02f7876fc7c 34908 pigz_2.2.4-2_amd64.deb Checksums-Sha256: ae471af43db6eb7d76cd5aca11b1a7c0c22bbfc54b4ebd5144b12634192302da 1012 pigz_2.2.4-2.dsc 677cdbdf4148cdc89ff512d2bfee0a6616f725a4a757d53a8d8f54a35b0ef99d 2888 pigz_2.2.4-2.debian.tar.xz 5c3677e819caf7ef14f352a45c5f1441649b8440dfc02f7f47af9beaa65c8605 34908 pigz_2.2.4-2_amd64.deb Files: 40600b6811d234d8d6453e29019bc2cd 1012 utils extra pigz_2.2.4-2.dsc 7aab96c9299529e925e00bb83b2e49bc 2888 utils extra pigz_2.2.4-2.debian.tar.xz 1aa0bf2546afda6364edebd3a717a599 34908 utils extra pigz_2.2.4-2_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFRKL9Y4QZIHu3wCMURApY+AJkB9Qzyux79we+hynQkikdz+oQoFACcDgsl eAtzkMSSs6rtfJePgweFAtE= =/1A1 -----END PGP SIGNATURE-----
--- End Message ---
