Re: gzip TOCTOU file-permissions vulnerability
In-Reply-To: <7389fc4b05040412574f819112@xxxxxxxxxxxxxx>
Since no one has posted a fix...here's a stab at it.
-Steve Grubb
================
diff -ur gzip-1.3.5.orig/gzip.c gzip-1.3.5/gzip.c
--- gzip-1.3.5.orig/gzip.c 2005-04-14 09:25:04.941018504 -0400
+++ gzip-1.3.5/gzip.c 2005-04-14 09:33:36.966178848 -0400
@@ -881,8 +881,11 @@
}
close(ifd);
- if (!to_stdout && close(ofd)) {
- write_error();
+ if (!to_stdout) {
+ /* Copy modes, times, ownership, and remove the input file */
+ copy_stat(&istat);
+ if (close(ofd))
+ write_error();
}
if (method == -1) {
if (!to_stdout) xunlink (ofname);
@@ -902,10 +905,6 @@
}
fprintf(stderr, "\n");
}
- /* Copy modes, times, ownership, and remove the input file */
- if (!to_stdout) {
- copy_stat(&istat);
- }
}
/* ========================================================================
@@ -1731,7 +1730,7 @@
reset_times(ofname, ifstat);
#endif
/* Copy the protection modes */
- if (chmod(ofname, ifstat->st_mode & 07777)) {
+ if (fchmod(ofd, ifstat->st_mode & 07777)) {
int e = errno;
WARN((stderr, "%s: ", progname));
if (!quiet) {
@@ -1740,7 +1739,7 @@
}
}
#ifndef NO_CHOWN
- chown(ofname, ifstat->st_uid, ifstat->st_gid); /* Copy ownership */
+ (void) fchown(ofd, ifstat->st_uid, ifstat->st_gid); /* Copy ownership */
#endif
remove_ofname = 0;
/* It's now safe to remove the input file: */