Bug 79292 (CVE-2005-0988)

Summary: VUL-0: CVE-2005-0988: directory traversal bug in gzip
Product: [Novell Products] SUSE Security Incidents Reporter: Ludwig Nussel <lnussel>
Component: IncidentsAssignee: Andreas Schwab <schwab>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: All   
Whiteboard: CVE-2005-0988: CVSS v2 Base Score: 3.7 (AV:L/AC:H/Au:N/C:P/I:P/A:P)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Ludwig Nussel 2005-04-21 12:44:19 UTC 
We received the following report via bugtraq.
The issue is public.

This should certainly be coordinated with upstream

Date: Wed, 20 Apr 2005 20:24:42 +0100
From: Imran Ghory <imranghory@gmail.com>
To: bugtraq@securityfocus.com
Subject: gzip directory traversal vulnerability

================================
gzip directory traversal vulnerability
================================

Software: gzip
Version: 1.2.4, 1.3.3
Software URL: <http://www.gzip.org>
Platform:  Unix, Linux.
Vulnerability type: Input validation
Severity: Medium, local vuln, requires user using gunzip -N on a
malicious zip file. Can result in privilege escalation.

Vulnerable software
====================

gzip 1.2.4 and 1.3.3 and previous versions running on unix.

Vulnerability
==============

Ulf Härnhammar <metaur@telia.com> has discovered a vulnerability in
gunzip that allows a malicious zip file to extract to an arbitrary
directory of the attackers choice when gunzip is used with the -N
option.

Further details of this vulnerability are available in the Debian bug
report #305255.

Direct link: <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=305255>

This vulnerability can be used to make the gzip file extract to a
directory which the attacker has write access to. This vulnerability
then be used in combination with the gzip TOCTOU file-permissions
vulnerability (CAN-2005-0988, Bugtraq #12996) to change the
permissions on arbitrary files belonging to the user.

Fix
====

A patch developed by Ulf Härnhammar is linked to from the bug report
link given above.
Comment 1 Ludwig Nussel 2005-04-21 12:52:25 UTC 
gzip doesn't hide the fact that there is an absolute path when listing the 
file with gzip -Nl so this probably is not a bug.
Comment 2 Ludwig Nussel 2005-05-09 11:33:53 UTC 
ubuntu/debian fixed it by just using the basename always. Is there discussion 
upstream?
Comment 3 Andreas Schwab 2005-05-09 11:36:24 UTC 
I've never seen anything.
Comment 4 Marcus Meissner 2005-06-17 10:59:11 UTC 
what are we doing with this bug?  
 
i am a bit undecided whether to fix only STABLE or not.
Comment 5 Thomas Biege 2005-06-17 11:07:03 UTC 
I think stable-only is ok.
Comment 6 Marcus Meissner 2005-06-17 14:26:25 UTC 
retarget, drop vul-0 status
Comment 7 Andreas Schwab 2005-07-26 13:02:59 UTC 
Fixed.
Comment 8 Thomas Biege 2009-10-13 21:17:28 UTC 
CVE-2005-0988: CVSS v2 Base Score: 3.7 (AV:L/AC:H/Au:N/C:P/I:P/A:P)