Bug#303300: marked as done (file permissions modification race (CAN-2005-0953))
Your message dated Sun, 12 Jun 2005 16:53:37 +1000 with message-id <[EMAIL PROTECTED]> and subject line Bug#303300: and woody? has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -- Received: (at submit) by bugs.debian.org; 5 Apr 2005 21:56:10 + >From [EMAIL PROTECTED] Tue Apr 05 14:56:10 2005 Return-path: <[EMAIL PROTECTED]> Received: from kitenet.net [64.62.161.42] (postfix) by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1DIw1q-0004Mg-00; Tue, 05 Apr 2005 14:56:10 -0700 Received: from dragon.kitenet.net (unknown [66.168.94.177]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "Joey Hess", Issuer "Joey Hess" (verified OK)) by kitenet.net (Postfix) with ESMTP id B672E18006 for <[EMAIL PROTECTED]>; Tue, 5 Apr 2005 21:56:08 + (GMT) Received: by dragon.kitenet.net (Postfix, from userid 1000) id 762166E28F; Tue, 5 Apr 2005 17:59:06 -0400 (EDT) Date: Tue, 5 Apr 2005 17:59:05 -0400 From: Joey Hess <[EMAIL PROTECTED]> To: Debian Bug Tracking System <[EMAIL PROTECTED]> Subject: file permissions modification race (CAN-2005-0953) Message-ID: <[EMAIL PROTECTED]> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="FL5UXtIhxfXey3p5" Content-Disposition: inline X-Reportbug-Version: 3.9 User-Agent: Mutt/1.5.8i Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE autolearn=no version=2.60-bugs.debian.org_2005_01_02 X-Spam-Level: --FL5UXtIhxfXey3p5 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Package: bzip2 Version: 1.0.2-5 Severity: normal Tags: security According to http://marc.theaimsgroup.com/?l=3Dbugtraq&m=3D111229375217633&w=3D2: If a malicious local user has write access to a directory in which a target user is using bzip2 to extract or compress a file to then a TOCTOU bug can be exploited to change the permission of any file belonging to that user. On decompressing bzip2 copies the permissions from the compressed bzip2 file to the uncompressed file. However there is a gap between the uncompressed file being written (and it's file handler being close) and the permissions of the file being changed. During this gap a malicious user can remove the decompressed file and replace it with a hard-link to another file belonging to the user. bzip2 will then change the permissions on the hard-linked file to be the same as that of the bzip2 file. This is a low impact security hole as it requires a local user to exploit a race, and bzip2 must be run in a directory that the attacker can write to (and +t directories probably don't work), and all you can do is change a file permissions.=20 If you fix this hole, please refer to CAN-2005-0953 in your changelog. -- System Information: Debian Release: 3.1 APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.4.27 Locale: LANG=3Den_US.UTF-8, LC_CTYPE=3Den_US.UTF-8 (charmap=3DUTF-8) Versions of packages bzip2 depends on: ii libbz2-1.0 1.0.2-5 high-quality block-sorting fil= e co ii libc6 2.3.2.ds1-20 GNU C Library: Shared librarie= s an -- no debconf information --=20 see shy jo --FL5UXtIhxfXey3p5 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFCUwopd8HHehbQuO8RAhnfAJ4g7Eg/vVwNZ5QglR3Hj0pjCLv2EwCgoHNl n+iQxlNnoMWQaieV69NZ9UU= =/2Yv -END PGP SIGNATURE- --FL5UXtIhxfXey3p5-- --- Received: (at 303300-done) by bugs.debian.org; 12 Jun 2005 06:53:40 + >From [EMAIL PROTECTED] Sat Jun 11 23:53:40 2005 Return-path: <[EMAIL PROTECTED]> Received: from cpe-138-217-160-143.vic.bigpond.net.au (nukak.apana.org.au) [138.217.160.143] by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1DhMLj-0001Vz-00; Sat, 11 Jun 2005 23:53:39 -0700 Received: by nukak.apana.org.au (Postfix, from userid 1000) id 58E7F68428F; Sun, 12 Jun 2005 16:53:37 +1000 (EST) Date: Sun, 12 Jun 2005 16:53:37 +1000 From: Anibal Monsalve Salazar <[EMAIL PROTECTED]> To: [EMAIL PROTECTED]
Bug#303300: marked as done (file permissions modification race (CAN-2005-0953))
Your message dated Wed, 04 May 2005 04:02:37 -0400 with message-id <[EMAIL PROTECTED]> and subject line Bug#303300: fixed in bzip2 1.0.2-6 has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -- Received: (at submit) by bugs.debian.org; 5 Apr 2005 21:56:10 + >From [EMAIL PROTECTED] Tue Apr 05 14:56:10 2005 Return-path: <[EMAIL PROTECTED]> Received: from kitenet.net [64.62.161.42] (postfix) by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1DIw1q-0004Mg-00; Tue, 05 Apr 2005 14:56:10 -0700 Received: from dragon.kitenet.net (unknown [66.168.94.177]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "Joey Hess", Issuer "Joey Hess" (verified OK)) by kitenet.net (Postfix) with ESMTP id B672E18006 for <[EMAIL PROTECTED]>; Tue, 5 Apr 2005 21:56:08 + (GMT) Received: by dragon.kitenet.net (Postfix, from userid 1000) id 762166E28F; Tue, 5 Apr 2005 17:59:06 -0400 (EDT) Date: Tue, 5 Apr 2005 17:59:05 -0400 From: Joey Hess <[EMAIL PROTECTED]> To: Debian Bug Tracking System <[EMAIL PROTECTED]> Subject: file permissions modification race (CAN-2005-0953) Message-ID: <[EMAIL PROTECTED]> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="FL5UXtIhxfXey3p5" Content-Disposition: inline X-Reportbug-Version: 3.9 User-Agent: Mutt/1.5.8i Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE autolearn=no version=2.60-bugs.debian.org_2005_01_02 X-Spam-Level: --FL5UXtIhxfXey3p5 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Package: bzip2 Version: 1.0.2-5 Severity: normal Tags: security According to http://marc.theaimsgroup.com/?l=3Dbugtraq&m=3D111229375217633&w=3D2: If a malicious local user has write access to a directory in which a target user is using bzip2 to extract or compress a file to then a TOCTOU bug can be exploited to change the permission of any file belonging to that user. On decompressing bzip2 copies the permissions from the compressed bzip2 file to the uncompressed file. However there is a gap between the uncompressed file being written (and it's file handler being close) and the permissions of the file being changed. During this gap a malicious user can remove the decompressed file and replace it with a hard-link to another file belonging to the user. bzip2 will then change the permissions on the hard-linked file to be the same as that of the bzip2 file. This is a low impact security hole as it requires a local user to exploit a race, and bzip2 must be run in a directory that the attacker can write to (and +t directories probably don't work), and all you can do is change a file permissions.=20 If you fix this hole, please refer to CAN-2005-0953 in your changelog. -- System Information: Debian Release: 3.1 APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.4.27 Locale: LANG=3Den_US.UTF-8, LC_CTYPE=3Den_US.UTF-8 (charmap=3DUTF-8) Versions of packages bzip2 depends on: ii libbz2-1.0 1.0.2-5 high-quality block-sorting fil= e co ii libc6 2.3.2.ds1-20 GNU C Library: Shared librarie= s an -- no debconf information --=20 see shy jo --FL5UXtIhxfXey3p5 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFCUwopd8HHehbQuO8RAhnfAJ4g7Eg/vVwNZ5QglR3Hj0pjCLv2EwCgoHNl n+iQxlNnoMWQaieV69NZ9UU= =/2Yv -END PGP SIGNATURE- --FL5UXtIhxfXey3p5-- --- Received: (at 303300-close) by bugs.debian.org; 4 May 2005 08:12:37 + >From [EMAIL PROTECTED] Wed May 04 01:12:37 2005 Return-path: <[EMAIL PROTECTED]> Received: from newraff.debian.org [208.185.25.31] (mail) by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1DTEzl-0001ul-00; Wed, 04 May 2005 01:12:37 -0700 Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian)) id 1DTEq5-0005N6-00; Wed, 04 May 2005 04:02:37 -0400 From: Anibal Monsalve Salazar <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] X-Katie: $Revision: 1.55 $ Subject: Bug#303300: