Re: bzip2 TOCTOU file-permissions vulnerability

[Steve Grubb <linux_4ever () yahoo com>]

In-Reply-To: <7389fc4b0503301338f74a428 () mail gmail com>

> ================================
> bzip2 TOCTOU file-permissions vulnerability 
> ================================
>
> Software: bzip2
> Version: 1.0.2
> Software URL: <http://sources.redhat.com/bzip2/>
> Platform:  Unix, Linux.
> Vulnerability type: Time-of-Check-Time-Of-Use
> Severity: Low, requires local attacker and badly set
> directory permissions.


This is completely wrong. If you look at the code to bzip2.c, you'll see that it calls fopen_output_safely(). This 
function in turn does an

open(name,  O_WRONLY|O_CREAT|O_EXCL, S_IWUSR|S_IRUSR);

This means the file is opened with perms 0600.

> Vulnerable software
> ====================
>
> bzip2 1.0.2 and previous versions running on unix. 
>
> bzip2 1.0.2 compiled for Windows using lcc or MS
> Visual C++  is not effected.

Wrong again. In fopen_output_safely, if BZ_UNIX is not set, the it resorts to fopen. Looking at the manual_3.html page, 
it says that on Win32 you set this define to 0. Therefore windows might be vulnerable.

> Vulnerability
> ============== 
>
> If a malicious local user has write access to a
> directory in which a target user is using bzip2 to
> extract or compress a file to then a TOCTOU bug can 
> be exploited to change the permission of any file
> belonging to that user.

Wrong. They must be logged in as that user. Remember, perms on tmp file was 0600.

> Fix
> ====
>
> Ensure that any directory which is being used by 
> bzip2 to compress/decompress files is only writeable
> by the user or alternatively set the sticky bit on the
> directory's permissions

According to changelog, this was fixed in 1.0.2. So, 1.0.1 and earlier might be a problem. This report is wrong in 
almost all aspects.

-Steve Grubb