From: Martin Schulze <joey@infodrom.org>
Date: Thu, 2 Jun 2005 14:26:06 +0000 (+0200)
Subject: Imported Debian patch 1.3.2-3woody4
X-Git-Url: https://git.cworth.org/git?p=gzip;a=commitdiff_plain;h=56c59c67dcb8047cb2f286f6d7fad199b30a0346

Imported Debian patch 1.3.2-3woody4
---

diff --git a/debian/changelog b/debian/changelog
index 5c60f49..d4fd58e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+gzip (1.3.2-3woody4) stable-security; urgency=high
+
+  * Non-maintainer upload by the Security Team
+  * Applied patch by Steve Grub to fix premission setting race condition
+    [gzip.c, CAN-2005-0988]
+  * Applied patch by Ulf Härnhammar to fix directory traversal problem
+    [gzip.c, CAN-2005-1228, Bug#305255]
+
+ -- Martin Schulze <joey@infodrom.org>  Thu,  2 Jun 2005 16:26:06 +0200
+
 gzip (1.3.2-3woody3) stable-security; urgency=high
 
   * Non-maintainer upload by the Security Team
diff --git a/gzip.c b/gzip.c
index b18a0a9..f69b8c9 100644
--- a/gzip.c
+++ b/gzip.c
@@ -878,8 +878,11 @@ local void treat_file(iname)
     }
 
     close(ifd);
-    if (!to_stdout && close(ofd)) {
-	write_error();
+    if (!to_stdout) {
+        /* Copy modes, times, ownership, and remove the input file */
+        copy_stat(&istat);
+	if (close(ofd))
+		write_error();
     }
     if (method == -1) {
 	if (!to_stdout) xunlink (ofname);
@@ -899,10 +902,6 @@ local void treat_file(iname)
 	}
 	fprintf(stderr, "\n");
     }
-    /* Copy modes, times, ownership, and remove the input file */
-    if (!to_stdout) {
-	copy_stat(&istat);
-    }
 }
 
 /* ========================================================================
@@ -1322,6 +1321,7 @@ local int get_method(in)
 		/* Copy the base name. Keep a directory prefix intact. */
                 char *p = base_name (ofname);
                 char *base = p;
+                char *base2;
 		for (;;) {
 		    *p = (char)get_char();
 		    if (*p++ == '\0') break;
@@ -1329,6 +1329,8 @@ local int get_method(in)
 			error("corrupted input -- file name too large");
 		    }
 		}
+		base2 = base_name (base);
+		strcpy(base, base2);
                 /* If necessary, adapt the name to local OS conventions: */
                 if (!list) {
                    MAKE_LEGAL_NAME(base);
@@ -1730,7 +1732,7 @@ local void copy_stat(ifstat)
     reset_times(ofname, ifstat);
 #endif
     /* Copy the protection modes */
-    if (chmod(ofname, ifstat->st_mode & 07777)) {
+    if (fchmod(ofd, ifstat->st_mode & 07777)) {
 	int e = errno;
 	WARN((stderr, "%s: ", progname));
 	if (!quiet) {
@@ -1739,7 +1741,7 @@ local void copy_stat(ifstat)
 	}
     }
 #ifndef NO_CHOWN
-    chown(ofname, ifstat->st_uid, ifstat->st_gid);  /* Copy ownership */
+    (void) fchown(ofd, ifstat->st_uid, ifstat->st_gid);  /* Copy ownership */
 #endif
     remove_ofname = 0;
     /* It's now safe to remove the input file: */