FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

gzip -- directory traversal and permission race vulnerabilities

Affected packages
gzip < 1.3.5_2
Affected systems
5.4 <= FreeBSD < 5.4_2
5.0 <= FreeBSD < 5.3_16
4.11 <= FreeBSD < 4.11_10
4.10 <= FreeBSD < 4.10_15
4.9 <= FreeBSD < 4.9_18
FreeBSD < 4.8_33

Details

VuXML ID 63bd4bad-dffe-11d9-b875-0001020eed82
Discovery 2005-04-20
Entry 2005-06-18
Modified 2005-07-06

Problem Description

Two problems related to extraction of files exist in gzip:

The first problem is that gzip does not properly sanitize filenames containing "/" when uncompressing files using the -N command line option.

The second problem is that gzip does not set permissions on newly extracted files until after the file has been created and the file descriptor has been closed.

Impact

The first problem can allow an attacker to overwrite arbitrary local files when uncompressing a file using the -N command line option.

The second problem can allow a local attacker to change the permissions of arbitrary local files, on the same partition as the one the user is uncompressing a file on, by removing the file the user is uncompressing and replacing it with a hardlink before the uncompress operation is finished.

Workaround

Do not use the -N command line option on untrusted files and do not uncompress files in directories where untrusted users have write access.

References

CVE Name CVE-2005-0988
CVE Name CVE-2005-1228
FreeBSD Advisory SA-05:11.gzip
Message 7389fc4b05040412574f819112@mail.gmail.com
Message 7389fc4b0504201224759f31b@mail.gmail.com