Your message dated Fri, 12 Apr 2013 18:02:04 +0000 with message-id <e1uqiiw-0003ck...@franck.debian.org> and subject line Bug#700608: fixed in pigz 2.1.6-1+squeeze1 has caused the Debian Bug report #700608, regarding pigz creates temp files with too wide permissions (CVE-2013-0296) to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 700608: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700608 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: pigz Version: 2.2.4-1 Severity: serious Tags: security When asked to compress a file with restricted permissions (like mode 0600), the .gz file pigz creates while doing this has usual mode derived from umask (like 0644). If the file is large enough (and why we would use pigz instead of gzip for small files), this results in the original content being readable for everyone until the compression finishes. Here's the deal: $ fallocate -l 1G foo $ chmod 0600 foo $ pigz foo & $ ls -l foo foo.gz -rw------- 1 mjt mjt 1073741824 Фев 15 12:27 foo -rw-rw-r-- 1 mjt mjt 502516 Фев 15 12:27 foo.gz When it finishes, it correctly applies original file permissions to the newly created file, but it is already waaay too late. Other one-file archivers (gzip, xz, bzip2, ...) usually create the temp file with very strict permissions first, and change it to the right perms only when done, so only the current user can read it. It looks like this bug deserves a CVE#. Thanks, /mjt
--- End Message ---
--- Begin Message ---Source: pigz Source-Version: 2.1.6-1+squeeze1 We believe that the bug you reported is fixed in the latest version of pigz, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 700...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Eduard Bloch <bl...@debian.org> (supplier of updated pigz package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Sat, 23 Feb 2013 21:46:31 +0100 Source: pigz Binary: pigz Architecture: source amd64 Version: 2.1.6-1+squeeze1 Distribution: stable Urgency: high Maintainer: Eduard Bloch <bl...@debian.org> Changed-By: Eduard Bloch <bl...@debian.org> Description: pigz - Parallel Implementation of GZip Closes: 700608 Changes: pigz (2.1.6-1+squeeze1) stable; urgency=high . * Use 600 permissions for unfinished output files (CVE-2013-0296, closes: #700608) Checksums-Sha1: 947f55875a684d0d5e450783d3e9a0bd20d77500 985 pigz_2.1.6-1+squeeze1.dsc 4f7595f9b80b0b5f8429eab837c8591fb1b85d48 3275 pigz_2.1.6-1+squeeze1.diff.gz 1445f01f9a30833dc71e7246cd905e2b996622d3 34468 pigz_2.1.6-1+squeeze1_amd64.deb Checksums-Sha256: 6c3a123700b06a1dc972f5897e545f098c7129585042305b143218cac71b90b8 985 pigz_2.1.6-1+squeeze1.dsc a533946ae359f57b56fcb9240960439b5d5b11a00ea5bb53d2cfd64fc4b25449 3275 pigz_2.1.6-1+squeeze1.diff.gz 2957b43b6b013788c0b8907d96872a12a2f1d92772c1cbe67f8524e8b47c4e8f 34468 pigz_2.1.6-1+squeeze1_amd64.deb Files: afa5fd8e9a2f4a5a8692c21ec46da4a3 985 utils extra pigz_2.1.6-1+squeeze1.dsc c24010228559a5a58c994e8fae6cdf10 3275 utils extra pigz_2.1.6-1+squeeze1.diff.gz 31083fea056b474e8e7f87385f5ea0c8 34468 utils extra pigz_2.1.6-1+squeeze1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFRTuTr4QZIHu3wCMURArFEAJ9vq7UetGLUF+/rzKzpv/L/waZkRQCfW8tL joM7meUOKnFtMFGehJH5LpM= =yOZ5 -----END PGP SIGNATURE-----
--- End Message ---
