16.02.2013 12:18, Michael Tokarev wrote:
> Control: tag -1 + patch
>
> The attached patch fixes the issue. It uses st.st_mode as a base
> when creating a new file (falling back to usual 0666 when dealing
> with stdin). It also uses the same stat attributes as used when
> creating the file.
And attached is a really minimal fix, which does not touch copymeta(),
but uses the same st.st_mode "trick" isntead of using 0666 directly.
For reference: this is all about http://bugs.debian.org/700608 aka
CVE-2013-0296.
Thanks,
/mjt
--- pigz.c.orig 2012-03-11 22:36:30.000000000 +0400
+++ pigz.c 2013-02-16 12:20:31.426575444 +0400
@@ -2984,6 +2984,7 @@ local void process(char *path)
mtime = headis & 2 ?
(fstat(ind, &st) ? time(NULL) : st.st_mtime) : 0;
len = 0;
+ st.st_mode = 0666;
}
else {
/* set input file name (already set if recursed here) */
@@ -3228,7 +3229,7 @@ local void process(char *path)
memcpy(out, to, len);
strcpy(out + len, decode ? "" : sufx);
outd = open(out, O_CREAT | O_TRUNC | O_WRONLY |
- (force ? 0 : O_EXCL), 0666);
+ (force ? 0 : O_EXCL), st.st_mode & 0777);
/* if exists and not -f, give user a chance to overwrite */
if (outd < 0 && errno == EEXIST && isatty(0) && verbosity) {
@@ -3244,7 +3245,7 @@ local void process(char *path)
} while (ch != EOF && ch != '\n' && ch != '\r');
if (reply == 1)
outd = open(out, O_CREAT | O_TRUNC | O_WRONLY,
- 0666);
+ st.st_mode & 0777);
}
/* if exists and no overwrite, report and go on to next */
