Bugzilla – Bug 117712
VUL-0: CVE-2005-2991: ncompress: insecure tmp file handling
Last modified: 2021-11-09 15:24:39 UTC
Hello Uli, are we affected by this one: The ncompress issue was reported to gentoo on 2005-09-05, it seems to be CAN-2004-0970 If you don't ship zcat in your package, you're fine. http://bugs.gentoo.org/show_bug.cgi?id=104878
To: coley@mitre.org Cc: vendor-sec@lst.de From: Josh Bressers <bressers@redhat.com> Subject: [vendor-sec] CAN-2004-0970 question Errors-To: vendor-sec-admin@lst.de Date: Fri, 16 Sep 2005 12:26:42 -0400 Steve, An advisory was posted to full-disclosure today that references CAN-2004-0970. http://marc.theaimsgroup.com/?l=full-disclosure&m=112688098630314&w=2 The text of CAN-2004-0970 references gzip by name, and the code in question isn't very similar. The ncompress script in question is named zcmp, which isn't listed as vulnerable in CAN-2004-0970. I'm guessing there should be a new CVE id assigned to this. Thanks. -- JB
On Fri, 16 Sep 2005, Josh Bressers wrote: > An advisory was posted to full-disclosure today that references > CAN-2004-0970. > http://marc.theaimsgroup.com/?l=full-disclosure&m=112688098630314&w=2 > > The text of CAN-2004-0970 references gzip by name, and the code in question > isn't very similar. The ncompress script in question is named zcmp, which > isn't listed as vulnerable in CAN-2004-0970. I suspect he linked it to CAN-2004-0970 because of this: "ncompress use vulnerable version off zdiff and zcmp." zdiff is mentioned in CAN-2004-0970, but zcmp is not. If the problem in ncompress is because it uses its own vulnerable copy of zdiff, then that would argue for using the old CAN (similar to using the same CAN for all the products that use vulnerable XML-RPC libraries). But it zcmp is still vulnerable, or there's some other issue that forces people to patch, then it would probably be best to create a new CAN. - Steve _______________________________________________ Vendor Security mailing list
another bug: ====================================================== Candidate: CAN-2005-2991 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2991 Reference: FULLDISC:20050916 ncompress insecure temporary file creation Reference: URL:http://marc.theaimsgroup.com/?l=full-disclosure&m=112688098630314&w=2 Reference: MISC:http://www.zataz.net/adviso/ncompress-09052005.txt ncompress 4.2.4 and earlier allows local users to overwrite arbitrary files via a symlink attack on temporary files using (1) zdiff or (2) zcmp, a different vulnerability than CAN-2004-0970.
ping?
minor severity (this is an internal package); reassigning to maintainer
Maintainer is still "uli@suse.de", even if the package was dead for some time.
a) BS, check pdb b) I resigned from that job in January 2003.
a) uli@suse.de says autobuild and PDB history until some minutes ago. Even if you changed that on your self, you can fool the tools. Ok, seems nobody will take care for that.
You reactivated that package. If you did it for yourself, maintain it. If you did it for somebody else, let them maintain it. In any case, I have nothing to do with it.
The whole report is invalid.
i think it is not. thomas@bragg:~/work/9.1/ncompress/ncompress-4.2.4> grep tmp z* zcmp: zcat $2 > /tmp/$F.$$ zcmp: zcat $1 | cmp $OPTIONS - /tmp/$F.$$ zcmp: zcat $2 > /tmp/$F.$$ zcmp: cmp $OPTIONS $1 /tmp/$F.$$ zdiff: zcat $2 > /tmp/$F.$$ zdiff: zcat $1 | diff $OPTIONS - /tmp/$F.$$ thomas@bragg:~/work/9.1/ncompress/ncompress-4.2.4> is_maintained ncompress Package is on CD core9.i386 Distribution: sles9-i386 Distributionstring: SUSE-Linux-CORE-i386 Marketing-Name: SUSE CORE 9 for x86 Package is on CD core9.ia64 Distribution: sles9-ia64 Distributionstring: SUSE-Linux-CORE-ia64 Marketing-Name: SUSE CORE 9 for Itanium Processor Family Package is on CD core9.ppc Distribution: sles9-ppc Distributionstring: SUSE-Linux-CORE-PPC Marketing-Name: SUSE CORE 9 for IBM POWER Package is on CD core9.s390 Distribution: sles9-s390 Distributionstring: SUSE-Linux-CORE-s390 Marketing-Name: SUSE CORE 9 for IBM S/390 31bit Package is on CD core9.s390x Distribution: sles9-s390x Distributionstring: SUSE-Linux-CORE-s390x Marketing-Name: SUSE CORE 9 for IBM zSeries 64bit Package is on CD core9.x86-64 Distribution: sles9-x86_64 Distributionstring: SUSE-Linux-CORE-x86-64 Marketing-Name: SUSE CORE 9 for AMD64 and Intel EM64T thomas@bragg:~/work/9.1/ncompress/ncompress-4.2.4> WhoMaintains ncompress ncompress: package 'ncompress' maintained by 'kukuk@suse.de'
Did you ever check if we ship that tools?
CVE-2005-2991: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:P/A:N)