<<< Date Index >>>     <<< Thread Index >>>

Re: gzip TOCTOU file-permissions vulnerability



In-Reply-To: <7389fc4b05040412574f819112@xxxxxxxxxxxxxx>

Since no one has posted a fix...here's a stab at it.

-Steve Grubb

================

diff -ur gzip-1.3.5.orig/gzip.c gzip-1.3.5/gzip.c
--- gzip-1.3.5.orig/gzip.c      2005-04-14 09:25:04.941018504 -0400
+++ gzip-1.3.5/gzip.c   2005-04-14 09:33:36.966178848 -0400
@@ -881,8 +881,11 @@
     }

     close(ifd);
-    if (!to_stdout && close(ofd)) {
-       write_error();
+    if (!to_stdout) {
+        /* Copy modes, times, ownership, and remove the input file */
+        copy_stat(&istat);
+        if (close(ofd))
+           write_error();
     }
     if (method == -1) {
        if (!to_stdout) xunlink (ofname);
@@ -902,10 +905,6 @@
        }
        fprintf(stderr, "\n");
     }
-    /* Copy modes, times, ownership, and remove the input file */
-    if (!to_stdout) {
-       copy_stat(&istat);
-    }
 }

 /* ========================================================================
@@ -1731,7 +1730,7 @@
     reset_times(ofname, ifstat);
 #endif
     /* Copy the protection modes */
-    if (chmod(ofname, ifstat->st_mode & 07777)) {
+    if (fchmod(ofd, ifstat->st_mode & 07777)) {
        int e = errno;
        WARN((stderr, "%s: ", progname));
        if (!quiet) {
@@ -1740,7 +1739,7 @@
        }
     }
 #ifndef NO_CHOWN
-    chown(ofname, ifstat->st_uid, ifstat->st_gid);  /* Copy ownership */
+    (void) fchown(ofd, ifstat->st_uid, ifstat->st_gid);  /* Copy ownership */
 #endif
     remove_ofname = 0;
     /* It's now safe to remove the input file: */