Possible security problem with change from version 1.3.11

bug-gzip

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Possible security problem with change from version 1.3.11

From:	Joerg Lehners
Subject:	Possible security problem with change from version 1.3.11
Date:	Wed, 18 Apr 2007 18:53:29 +0200 (MEST)

From gzip-1.3.12/NEWS:


...
Major changes in Gzip 1.3.11 (2007-02-05)

* As per the GNU coding standards, the behavior of gzip and its
  companion executables no longer depend on the name used to invoke them.
  For example, 'gzip' and 'gunzip' are no longer hard links;
  instead, 'gunzip' is now a small program that invokes 'gzip -d'.
...


Looking into /usr/local/bin/gzunip:

joerg @ taifun> cat /usr/local/bin/gunzip#!/bin/bash

PATH=${GZIP_BINDIR-'/usr/local/bin'}:$PATH
exec gzip -d "$@"
joerg @ taifun>

Hmmm, doesn't this open a new security hole?

Formerly a (possibly suid) program could do
        execl ("/usr/local/bin/gunzip", arg1, arg2, arg3, ...);
and was more or less safe to execute the well known program.

Now an attacker can trick this program with
        GZIP_BINDIR=/tmp/something program
to get /tmp/something/gzip executed.

But then: executing suid programes with possibly polluted environment
isn't safe anyway.

  Joerg
--
Mail: address@hidden    Tel: 2198
Real: Joerg Lehners, Informatik ARBI, Uni Oldenburg, D-26111 Oldenburg
Unwoerter: Kostensenkung - Gewinnmaximierung - billig, billig, billig

[Prev in Thread]

Current Thread

[Next in Thread]

Possible security problem with change from version 1.3.11, Joerg Lehners <=

Prev by Date: gzip 1.3.12 released
Next by Date: zgrep bug
Previous by thread: gzip 1.3.12 released
Next by thread: zgrep bug
Index(es):
- Date
- Thread