#200191: Two Security Vulnerabilities in the bzip2(1) Command may Allow the Permissions of Arbitrary Files to be Modified or Allow for Arbitrarily Large Files to be Created

Two Security Vulnerabilities in the bzip2(1) Command may Allow the Permissions of Arbitrary Files to be Modified or Allow for Arbitrarily Large Files to be Created

Category :	Security
Release Phase :	Resolved
Bug Id :	6353235
Product :	Solaris 9 Operating System Solaris 10 Operating System Solaris 8 Operating System
Date of Workaround Release :	16-OCT-2007
Date of Resolved Release :	27-Jun-2008

A security vulnerability in the bzip2(1) command  (see below for details)

1. Impact

A security vulnerability in the bzip2(1) command may allow a local unprivileged user to be able to read or modify files owned by another local user who invokes bzip2(1) to either compress or decompress files in a world writable directory. This could include system files if bzip2(1) is issued by a privileged user. [CVE-2005-0953]

A second security vulnerability in the bzip2(1) command may allow arbitrarily large files to be created when decompressing specially crafted bzip2(1) archives which may exhaust disk space and could cause a Denial of service (DoS). [CVE-2005-1260]

These issues are described in the following documents:

CVE-2005-0953 at:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0953

CVE-2005-1260 at:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1260

2. Contributing Factors

These issues can occur in the following releases:

SPARC Platform

Solaris 8 without patch 138441-01
Solaris 9 without patch 114586-02
Solaris 10 without patch 126868-01

x86 Platform

Solaris 8 without patch 138442-01
Solaris 9 without patch 114587-02
Solaris 10 without patch 126869-02

Note 1: The file modification issue (CVE-2005-0953) only affects versions of bzip2(1) prior to 1.0.4.

Note 2: The arbitrarily large file issue (CVE-2005-1260) only affects versions of bzip2(1) prior to 1.0.3.

Note 3: The version of bzip2(1) on a system can be determined by running the following command:

    $ bzip2 --version
    bzip2, a block-sorting file compressor.  Version 1.0.4, 20-Dec-2006.
    [...]

3. Symptoms

If the file modification issue (CVE-2005-0953) has occurred, one or more files owned by the user who issued the bzip2(1) command would have their permissions changed.

The symptom of the arbitrarily large file issue (CVE-2005-1260) is the bzip2(1) command taking a long amount of time and the output file continuously growing in size.

4. Workaround

The file modification issue (CVE-2005-0953) can be avoided by not compressing or decompressing files using bzip2(1) in world writable directories.

The arbitrarily large file issue (CVE-2005-1260) can be avoided by only decompressing bzip2(1) files from trusted sources.

5. Resolution

These issues are addressed in the following releases:

SPARC Platform

Solaris 8 with patch 138441-01 or later
Solaris 9 with patch 114586-02 or later
Solaris 10 with patch 126868-01 or later

x86 Platform

Solaris 8 with patch 138442-01 or later
Solaris 9 with patch 114587-02 or later
Solaris 10 with patch 126869-02 or later

Modification History

27-Jun-2008: Updated Contributing Factors and Resolution sections. Resolved.

Attachments

This solution has no attachment

Login Required

Login Required