Package: bzip2 Version: 1.0.2-5 Severity: normal Tags: security According to http://marc.theaimsgroup.com/?l=bugtraq&m=111229375217633&w=2:
If a malicious local user has write access to a directory in which a target user is using bzip2 to extract or compress a file to then a TOCTOU bug can be exploited to change the permission of any file belonging to that user. On decompressing bzip2 copies the permissions from the compressed bzip2 file to the uncompressed file. However there is a gap between the uncompressed file being written (and it's file handler being close) and the permissions of the file being changed. During this gap a malicious user can remove the decompressed file and replace it with a hard-link to another file belonging to the user. bzip2 will then change the permissions on the hard-linked file to be the same as that of the bzip2 file. This is a low impact security hole as it requires a local user to exploit a race, and bzip2 must be run in a directory that the attacker can write to (and +t directories probably don't work), and all you can do is change a file permissions. If you fix this hole, please refer to CAN-2005-0953 in your changelog. -- System Information: Debian Release: 3.1 APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.4.27 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Versions of packages bzip2 depends on: ii libbz2-1.0 1.0.2-5 high-quality block-sorting file co ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an -- no debconf information -- see shy jo
signature.asc
Description: Digital signature
