In-Reply-To: <7389fc4b0503301338f74a428@xxxxxxxxxxxxxx> >================================ >bzip2 TOCTOU file-permissions vulnerability >================================ > >Software: bzip2 >Version: 1.0.2 >Software URL: <http://sources.redhat.com/bzip2/> >Platform: Unix, Linux. >Vulnerability type: Time-of-Check-Time-Of-Use >Severity: Low, requires local attacker and badly set >directory permissions. This is completely wrong. If you look at the code to bzip2.c, you'll see that it calls fopen_output_safely(). This function in turn does an open(name, O_WRONLY|O_CREAT|O_EXCL, S_IWUSR|S_IRUSR); This means the file is opened with perms 0600. >Vulnerable software >==================== > >bzip2 1.0.2 and previous versions running on unix. > >bzip2 1.0.2 compiled for Windows using lcc or MS >Visual C++ is not effected. Wrong again. In fopen_output_safely, if BZ_UNIX is not set, the it resorts to fopen. Looking at the manual_3.html page, it says that on Win32 you set this define to 0. Therefore windows might be vulnerable. >Vulnerability >============== > >If a malicious local user has write access to a >directory in which a target user is using bzip2 to >extract or compress a file to then a TOCTOU bug can >be exploited to change the permission of any file >belonging to that user. Wrong. They must be logged in as that user. Remember, perms on tmp file was 0600. >Fix >==== > >Ensure that any directory which is being used by >bzip2 to compress/decompress files is only writeable >by the user or alternatively set the sticky bit on the >directory's permissions According to changelog, this was fixed in 1.0.2. So, 1.0.1 and earlier might be a problem. This report is wrong in almost all aspects. -Steve Grubb
