Re: bzip2 TOCTOU file-permissions vulnerability
In-Reply-To: <7389fc4b0503301338f74a428@xxxxxxxxxxxxxx>
>================================
>bzip2 TOCTOU file-permissions vulnerability
>================================
>
>Software: bzip2
>Version: 1.0.2
>Software URL: <http://sources.redhat.com/bzip2/>
>Platform: Unix, Linux.
>Vulnerability type: Time-of-Check-Time-Of-Use
>Severity: Low, requires local attacker and badly set
>directory permissions.
This is completely wrong. If you look at the code to bzip2.c, you'll see that
it calls fopen_output_safely(). This function in turn does an
open(name, O_WRONLY|O_CREAT|O_EXCL, S_IWUSR|S_IRUSR);
This means the file is opened with perms 0600.
>Vulnerable software
>====================
>
>bzip2 1.0.2 and previous versions running on unix.
>
>bzip2 1.0.2 compiled for Windows using lcc or MS
>Visual C++ is not effected.
Wrong again. In fopen_output_safely, if BZ_UNIX is not set, the it resorts to
fopen. Looking at the manual_3.html page, it says that on Win32 you set this
define to 0. Therefore windows might be vulnerable.
>Vulnerability
>==============
>
>If a malicious local user has write access to a
>directory in which a target user is using bzip2 to
>extract or compress a file to then a TOCTOU bug can
>be exploited to change the permission of any file
>belonging to that user.
Wrong. They must be logged in as that user. Remember, perms on tmp file was
0600.
>Fix
>====
>
>Ensure that any directory which is being used by
>bzip2 to compress/decompress files is only writeable
>by the user or alternatively set the sticky bit on the
>directory's permissions
According to changelog, this was fixed in 1.0.2. So, 1.0.1 and earlier might be
a problem. This report is wrong in almost all aspects.
-Steve Grubb