BID:12954

bzip2 chmod File Permission Modification Race Condition Weakness

Info

bzip2 chmod File Permission Modification Race Condition Weakness

Bugtraq ID:	12954
Class:	Race Condition Error
CVE:	CVE-2005-0953
Remote:	No
Local:	Yes
Published:	Mar 31 2005 12:00AM
Updated:	Jul 02 2008 07:30PM
Credit:	Discovery of this weakness is credited to Imran Ghory <[email protected]>.
Vulnerable:	Ubuntu Ubuntu Linux 5.0 4 powerpc Ubuntu Ubuntu Linux 5.0 4 i386 Ubuntu Ubuntu Linux 5.0 4 amd64 Ubuntu Ubuntu Linux 4.1 ppc Ubuntu Ubuntu Linux 4.1 ia64 Ubuntu Ubuntu Linux 4.1 ia32 Turbolinux Turbolinux Workstation 8.0 Turbolinux Turbolinux Workstation 7.0 Turbolinux Turbolinux Server 10.0 Turbolinux Turbolinux Server 8.0 Turbolinux Turbolinux Server 7.0 Turbolinux Turbolinux Desktop 10.0 Turbolinux Home Turbolinux Appliance Server 1.0 Workgroup Edition Turbolinux Appliance Server 1.0 Hosting Edition Trustix Secure Linux 3.0 Trustix Secure Linux 2.2 Trustix Operating System Enterprise Server 2.0 Sun Solaris 9_x86 Sun Solaris 9 Sun Solaris 8_x86 Sun Solaris 8_sparc Sun Solaris 10.0_x86 Sun Solaris 10.0 SGI ProPack 3.0 SP6 SGI ProPack 3.0 SP5 rPath rPath Linux 1 Redhat Linux 9.0 i386 Redhat Linux 7.3 i686 Redhat Linux 7.3 i386 Redhat Linux 7.3 Redhat Fedora Core2 Redhat Fedora Core1 Redhat Enterprise Linux WS 4 Redhat Enterprise Linux WS 3 Redhat Enterprise Linux WS 2.1 IA64 Redhat Enterprise Linux WS 2.1 Redhat Enterprise Linux ES 4 Redhat Enterprise Linux ES 3 Redhat Enterprise Linux ES 2.1 IA64 Redhat Enterprise Linux ES 2.1 Redhat Enterprise Linux AS 4 Redhat Enterprise Linux AS 3 Redhat Enterprise Linux AS 2.1 IA64 Redhat Enterprise Linux AS 2.1 Redhat Desktop 4.0 Redhat Desktop 3.0 Redhat Advanced Workstation for the Itanium Processor 2.1 IA64 Redhat Advanced Workstation for the Itanium Processor 2.1 OpenPKG OpenPKG 2.3 OpenPKG OpenPKG 2.2 NetBSD NetBSD Current NetBSD NetBSD 4.0 NetBSD NetBSD 3.1 Navision Financials Server 3.0 Mandriva Linux Mandrake 2006.0 x86_64 Mandriva Linux Mandrake 2006.0 Mandriva Linux Mandrake 10.2 x86_64 Mandriva Linux Mandrake 10.2 Mandriva Linux Mandrake 10.1 x86_64 Mandriva Linux Mandrake 10.1 Mandriva Linux Mandrake 10.0 AMD64 Mandriva Linux Mandrake 10.0 MandrakeSoft Multi Network Firewall 2.0 MandrakeSoft Corporate Server 3.0 x86_64 MandrakeSoft Corporate Server 3.0 MandrakeSoft Corporate Server 2.1 x86_64 MandrakeSoft Corporate Server 2.1 FreeBSD FreeBSD 5.4 -RELENG FreeBSD FreeBSD 5.4 -RELEASE FreeBSD FreeBSD 5.4 -PRERELEASE FreeBSD FreeBSD 5.3 -STABLE FreeBSD FreeBSD 5.3 -RELENG FreeBSD FreeBSD 5.3 -RELEASE FreeBSD FreeBSD 5.3 FreeBSD FreeBSD 5.2.1 -RELEASE FreeBSD FreeBSD 5.2 -RELENG FreeBSD FreeBSD 5.2 -RELEASE FreeBSD FreeBSD 5.2 FreeBSD FreeBSD 5.1 -RELENG FreeBSD FreeBSD 5.1 -RELEASE/Alpha FreeBSD FreeBSD 5.1 -RELEASE-p5 FreeBSD FreeBSD 5.1 -RELEASE FreeBSD FreeBSD 5.1 FreeBSD FreeBSD 5.0 -RELENG FreeBSD FreeBSD 5.0 -RELEASE-p14 FreeBSD FreeBSD 5.0 alpha FreeBSD FreeBSD 5.0 FreeBSD FreeBSD 4.11 -STABLE FreeBSD FreeBSD 4.11 -RELENG FreeBSD FreeBSD 4.11 -RELEASE-p3 FreeBSD FreeBSD 4.10 -RELENG FreeBSD FreeBSD 4.10 -RELEASE-p8 FreeBSD FreeBSD 4.10 -RELEASE FreeBSD FreeBSD 4.10 FreeBSD FreeBSD 4.9 -RELENG FreeBSD FreeBSD 4.9 -PRERELEASE FreeBSD FreeBSD 4.9 FreeBSD FreeBSD 4.8 -RELENG FreeBSD FreeBSD 4.8 -RELEASE-p7 FreeBSD FreeBSD 4.8 -PRERELEASE FreeBSD FreeBSD 4.8 FreeBSD FreeBSD 4.7 -STABLE FreeBSD FreeBSD 4.7 -RELENG FreeBSD FreeBSD 4.7 -RELEASE-p17 FreeBSD FreeBSD 4.7 -RELEASE FreeBSD FreeBSD 4.7 FreeBSD FreeBSD 4.6.2 FreeBSD FreeBSD 4.6 -STABLE FreeBSD FreeBSD 4.6 -RELENG FreeBSD FreeBSD 4.6 -RELEASE-p20 FreeBSD FreeBSD 4.6 -RELEASE FreeBSD FreeBSD 4.6 FreeBSD FreeBSD 4.5 -STABLEpre2002-03-07 FreeBSD FreeBSD 4.5 -STABLE FreeBSD FreeBSD 4.5 -RELENG FreeBSD FreeBSD 4.5 -RELEASE-p32 FreeBSD FreeBSD 4.5 -RELEASE FreeBSD FreeBSD 4.5 FreeBSD FreeBSD 4.4 -STABLE FreeBSD FreeBSD 4.4 -RELENG FreeBSD FreeBSD 4.4 -RELENG FreeBSD FreeBSD 4.4 -RELEASE-p42 FreeBSD FreeBSD 4.4 FreeBSD FreeBSD 4.3 -STABLE FreeBSD FreeBSD 4.3 -RELENG FreeBSD FreeBSD 4.3 -RELEASE-p38 FreeBSD FreeBSD 4.3 -RELEASE FreeBSD FreeBSD 4.3 FreeBSD FreeBSD 4.2 -STABLEpre122300 FreeBSD FreeBSD 4.2 -STABLEpre050201 FreeBSD FreeBSD 4.2 -STABLE FreeBSD FreeBSD 4.2 -RELEASE FreeBSD FreeBSD 4.2 FreeBSD FreeBSD 4.1.1 -STABLE FreeBSD FreeBSD 4.1.1 -RELEASE FreeBSD FreeBSD 4.1.1 FreeBSD FreeBSD 4.1 FreeBSD FreeBSD 4.0 .x FreeBSD FreeBSD 4.0 -RELENG FreeBSD FreeBSD 4.0 alpha FreeBSD FreeBSD 4.0 Debian Linux 3.0 sparc Debian Linux 3.0 s/390 Debian Linux 3.0 ppc Debian Linux 3.0 mipsel Debian Linux 3.0 mips Debian Linux 3.0 m68k Debian Linux 3.0 ia-64 Debian Linux 3.0 ia-32 Debian Linux 3.0 hppa Debian Linux 3.0 arm Debian Linux 3.0 alpha Debian Linux 3.0 bzip2 bzip2 1.0.2 bzip2 bzip2 1.0.1 - FreeBSD FreeBSD 4.5 - FreeBSD FreeBSD 4.4 - Trustix Secure Linux 1.5 - Trustix Secure Linux 1.2 - Trustix Secure Linux 1.1 bzip2 bzip2 1.0 bzip2 bzip2 0.9.5 d bzip2 bzip2 0.9.5 c bzip2 bzip2 0.9.5 b bzip2 bzip2 0.9.5 a bzip2 bzip2 0.9 c bzip2 bzip2 0.9 b bzip2 bzip2 0.9 a bzip2 bzip2 0.9 Apple Mac OS X Server 10.4.10 Apple Mac OS X Server 10.4.9 Apple Mac OS X Server 10.4.8 Apple Mac OS X Server 10.4.7 Apple Mac OS X Server 10.4.6 Apple Mac OS X Server 10.4.5 Apple Mac OS X Server 10.4.4 Apple Mac OS X Server 10.4.3 Apple Mac OS X Server 10.4.2 Apple Mac OS X Server 10.4.1 Apple Mac OS X Server 10.4 Apple Mac OS X 10.4.10 Apple Mac OS X 10.4.9 Apple Mac OS X 10.4.8 Apple Mac OS X 10.4.7 Apple Mac OS X 10.4.6 Apple Mac OS X 10.4.5 Apple Mac OS X 10.4.4 Apple Mac OS X 10.4.3 Apple Mac OS X 10.4.2 Apple Mac OS X 10.4.1 Apple Mac OS X 10.4

Not Vulnerable:	bzip2 bzip2 1.0.3 Apple Mac OS X Server 10.4.11 Apple Mac OS X 10.4.11

Discussion

bzip2 chmod File Permission Modification Race Condition Weakness

The 'bzip2' utility is reported prone to a security weakness that is present only when an archive is extracted into a world- or group-writeable directory. Reportedly, bzip2 employs nonatomic procedures to write a file and later changes the permissions on the newly extracted file.

A local attacker may leverage this issue to modify file permissions of target files.

This weakness is reported to affect bzip2 1.0.2 and previous versions.

Exploit / POC

bzip2 chmod File Permission Modification Race Condition Weakness

No exploit is required.

Solution / Fix

bzip2 chmod File Permission Modification Race Condition Weakness

Solution:
The vendor has released bzip2 1.0.3 to address this issue. Please see the referenced vendor advisories for details on obtaining and applying fixes.

Sun Solaris 10.0

Sun Solaris 10 SPARC platform patch 126868-01
http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21 -126868-01-1

bzip2 bzip2 0.9 b

bzip2 bzip2-1.0.3.tar.gz
http://www.bzip.org/1.0.3/bzip2-1.0.3.tar.gz

bzip2 bzip2 0.9.5 b

bzip2 bzip2-1.0.3.tar.gz
http://www.bzip.org/1.0.3/bzip2-1.0.3.tar.gz

bzip2 bzip2 0.9.5 d

bzip2 bzip2-1.0.3.tar.gz
http://www.bzip.org/1.0.3/bzip2-1.0.3.tar.gz

Turbolinux Appliance Server 1.0 Workgroup Edition

Turbolinux bzip2-1.0.2-8.i586.rpm
Turbolinux Appliance Server 1.0 Workgroup Edition
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/

Turbolinux bzip2-devel-1.0.2-8.i586.rpm
Turbolinux Appliance Server 1.0 Workgroup Edition
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/

bzip2 bzip2 1.0.1

bzip2 bzip2-1.0.3.tar.gz
http://www.bzip.org/1.0.3/bzip2-1.0.3.tar.gz

Mandriva Linux Mandrake 10.0 AMD64

Mandriva bzip2-1.0.2-17.1.100mdk.amd64.rpm
Mandrakelinux 10.0/AMD64:
http://www.mandriva.com/en/download

Mandriva bzip2-1.0.2-17.1.100mdk.src.rpm
Mandrakelinux 10.0/AMD64:
http://www.mandriva.com/en/download

Mandriva lib64bzip2_1-1.0.2-17.1.100mdk.amd64.rpm
Mandrakelinux 10.0/AMD64:
http://www.mandriva.com/en/download

Mandriva lib64bzip2_1-devel-1.0.2-17.1.100mdk.amd64.rpm
Mandrakelinux 10.0/AMD64:
http://www.mandriva.com/en/download

Turbolinux Turbolinux Server 10.0

Turbolinux bzip2-1.0.2-8.i586.rpm
Turbolinux 10 Server
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/up dates/RPMS/bzip2-1.0.2-8.i586.rpm

Turbolinux bzip2-devel-1.0.2-8.i586.rpm
Turbolinux 10 Server
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/up dates/RPMS/bzip2-devel-1.0.2-8.i586.rpm

Turbolinux Turbolinux Desktop 10.0

Turbolinux bzip2-1.0.2-8.i586.rpm
Turbolinux 10 Desktop, Turbolinux 10 F..., Turbolinux Home
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/u pdates/RPMS/bzip2-1.0.2-8.i586.rpm

Turbolinux bzip2-devel-1.0.2-8.i586.rpm
Turbolinux 10 Desktop, Turbolinux 10 F..., Turbolinux Home
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/u pdates/RPMS/bzip2-devel-1.0.2-8.i586.rpm

Mandriva Linux Mandrake 10.1 x86_64

Mandriva bzip2-1.0.2-20.1.101mdk.src.rpm
Mandrakelinux 10.1/X86_64:
http://www.mandriva.com/en/download

Mandriva bzip2-1.0.2-20.1.101mdk.x86_64.rpm
Mandrakelinux 10.1/X86_64:
http://www.mandriva.com/en/download

Mandriva lib64bzip2_1-1.0.2-20.1.101mdk.x86_64.rpm
Mandrakelinux 10.1/X86_64:
http://www.mandriva.com/en/download

Mandriva lib64bzip2_1-devel-1.0.2-20.1.101mdk.x86_64.rpm
Mandrakelinux 10.1/X86_64:
http://www.mandriva.com/en/download

Apple Mac OS X 10.4.10

Apple Mac OS X 10.4.11 Combo Update (Intel)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16036&cat= 1&platform=osx&method=sa/MacOSXUpdCombo10.4.11Intel.dmg

Apple Mac OS X 10.4.11 Combo Update (PPC)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16051&cat= 1&platform=osx&method=sa/MacOSXUpdCombo10.4.11PPC.dmg

Apple Mac OS X 10.4.2

Apple Mac OS X 10.4.11 Combo Update (Intel)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16036&cat= 1&platform=osx&method=sa/MacOSXUpdCombo10.4.11Intel.dmg

Apple Mac OS X 10.4.11 Combo Update (PPC)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16051&cat= 1&platform=osx&method=sa/MacOSXUpdCombo10.4.11PPC.dmg

Apple Mac OS X 10.4.3

Apple Mac OS X 10.4.11 Combo Update (Intel)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16036&cat= 1&platform=osx&method=sa/MacOSXUpdCombo10.4.11Intel.dmg

Apple Mac OS X 10.4.11 Combo Update (PPC)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16051&cat= 1&platform=osx&method=sa/MacOSXUpdCombo10.4.11PPC.dmg

Apple Mac OS X 10.4.4

Apple Mac OS X 10.4.11 Combo Update (Intel)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16036&cat= 1&platform=osx&method=sa/MacOSXUpdCombo10.4.11Intel.dmg

Apple Mac OS X 10.4.11 Combo Update (PPC)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16051&cat= 1&platform=osx&method=sa/MacOSXUpdCombo10.4.11PPC.dmg

Apple Mac OS X 10.4.7

Apple Mac OS X 10.4.11 Combo Update (Intel)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16036&cat= 1&platform=osx&method=sa/MacOSXUpdCombo10.4.11Intel.dmg

Apple Mac OS X 10.4.11 Combo Update (PPC)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16051&cat= 1&platform=osx&method=sa/MacOSXUpdCombo10.4.11PPC.dmg

MandrakeSoft Corporate Server 2.1 x86_64

Mandriva bzip2-1.0.2-10.1.C21mdk.src.rpm
Corporate Server 2.1/X86_64:
http://www.mandriva.com/en/download

Mandriva bzip2-1.0.2-10.1.C21mdk.x86_64.rpm
Corporate Server 2.1/X86_64:
http://www.mandriva.com/en/download

Mandriva libbzip2_1-1.0.2-10.1.C21mdk.x86_64.rpm
Corporate Server 2.1/X86_64:
http://www.mandriva.com/en/download

Mandriva libbzip2_1-devel-1.0.2-10.1.C21mdk.x86_64.rpm
Corporate Server 2.1/X86_64:
http://www.mandriva.com/en/download

MandrakeSoft Corporate Server 2.1

Mandriva bzip2-1.0.2-10.1.C21mdk.i586.rpm
Corporate Server 2.1:
http://www.mandriva.com/en/download

Mandriva bzip2-1.0.2-10.1.C21mdk.src.rpm
Corporate Server 2.1:
http://www.mandriva.com/en/download

Mandriva libbzip2_1-1.0.2-10.1.C21mdk.i586.rpm
Corporate Server 2.1:
http://www.mandriva.com/en/download

Mandriva libbzip2_1-devel-1.0.2-10.1.C21mdk.i586.rpm
Corporate Server 2.1:
http://www.mandriva.com/en/download

MandrakeSoft Corporate Server 3.0

Mandriva bzip2-1.0.2-17.1.C30mdk.i586.rpm
Corporate 3.0:
http://www.mandriva.com/en/download

Mandriva bzip2-1.0.2-17.1.C30mdk.src.rpm
Corporate 3.0:
http://www.mandriva.com/en/download

Mandriva libbzip2_1-1.0.2-17.1.C30mdk.i586.rpm
Corporate 3.0:
http://www.mandriva.com/en/download

Mandriva libbzip2_1-devel-1.0.2-17.1.C30mdk.i586.rpm
Corporate 3.0:
http://www.mandriva.com/en/download

FreeBSD FreeBSD 4.11 -RELEASE-p3

FreeBSD bzip2.patch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:14/bzip2.patch

FreeBSD bzip2.patch.asc
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:14/bzip2.patch.as c

FreeBSD FreeBSD 4.11 -STABLE

FreeBSD bzip2.patch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:14/bzip2.patch

FreeBSD bzip2.patch.asc
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:14/bzip2.patch.as c

FreeBSD FreeBSD 5.3

FreeBSD bzip2.patch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:14/bzip2.patch

FreeBSD bzip2.patch.asc
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:14/bzip2.patch.as c

FreeBSD FreeBSD 5.4 -RELENG

FreeBSD bzip2.patch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:14/bzip2.patch

FreeBSD bzip2.patch.asc
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:14/bzip2.patch.as c

Turbolinux Turbolinux Workstation 7.0

Turbolinux bzip2-1.0.1-8.i586.rpm
Turbolinux 7 Workstation
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/ 7/updates/RPMS/bzip2-1.0.1-8.i586.rpm

Turbolinux bzip2-devel-1.0.1-8.i586.rpm
Turbolinux 7 Workstation
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/ 7/updates/RPMS/bzip2-devel-1.0.1-8.i586.rpm

References

bzip2 chmod File Permission Modification Race Condition Weakness

References:

bzip2 Homepage (bzip2)
RHSA-2005:474-15 - bzip2 security update (RedHat)
RHSA-2005:474-21 - bzip2 security update (RedHat)
Sun Alert ID: 103118 (Sun Microsystems)
bzip2 TOCTOU file-permissions vulnerability (Imran Ghory )
200191: Two Security Vulnerabilities in the bzip2(1) Command may Allow the Permi (Sun)
Avaya Security Advisory ASA-2007-451 (Avaya)