Note: This is an archival copy of Security Sun Alert 200191 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000145.1.
Article ID : 1000145.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2008-06-26
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Two Security Vulnerabilities in the bzip2(1) Command may Allow the Permissions of Arbitrary Files to be Modified or Allow for Arbitrarily Large Files to be Created

Category
Security

Release Phase
Resolved

Bug Id
6353235

Product
Solaris 9 Operating System
Solaris 10 Operating System
Solaris 8 Operating System

Date of Workaround Release
16-OCT-2007

Date of Resolved Release
27-Jun-2008

A security vulnerability in the bzip2(1) command (see below for details)

1. Impact

A security vulnerability in the bzip2(1) command may allow a local unprivileged user to be able to read or modify files owned by another local user who invokes bzip2(1) to either compress or decompress files in a world writable directory. This could include system files if bzip2(1) is issued by a privileged user. [CVE-2005-0953]

A second security vulnerability in the bzip2(1) command may allow arbitrarily large files to be created when decompressing specially crafted bzip2(1) archives which may exhaust disk space and could cause a Denial of service (DoS). [CVE-2005-1260]

These issues are described in the following documents:

CVE-2005-0953 at:

CVE-2005-1260 at:


2. Contributing Factors

These issues can occur in the following releases:

SPARC Platform

  • Solaris 8 without patch 138441-01
  • Solaris 9 without patch 114586-02
  • Solaris 10 without patch 126868-01

x86 Platform

  • Solaris 8 without patch 138442-01
  • Solaris 9 without patch 114587-02
  • Solaris 10 without patch 126869-02

Note 1: The file modification issue (CVE-2005-0953) only affects versions of bzip2(1) prior to 1.0.4.

Note 2: The arbitrarily large file issue (CVE-2005-1260) only affects versions of bzip2(1) prior to 1.0.3.

Note 3: The version of bzip2(1) on a system can be determined by running the following command:

    $ bzip2 --version
    bzip2, a block-sorting file compressor.  Version 1.0.4, 20-Dec-2006.
    [...]


3. Symptoms

If the file modification issue (CVE-2005-0953) has occurred, one or more files owned by the user who issued the bzip2(1) command would have their permissions changed.

The symptom of the arbitrarily large file issue (CVE-2005-1260) is the bzip2(1) command taking a long amount of time and the output file continuously growing in size.


4. Workaround

The file modification issue (CVE-2005-0953) can be avoided by not compressing or decompressing files using bzip2(1) in world writable directories.

The arbitrarily large file issue (CVE-2005-1260) can be avoided by only decompressing bzip2(1) files from trusted sources.


5. Resolution

These issues are addressed in the following releases:

SPARC Platform

  • Solaris 8 with patch 138441-01 or later
  • Solaris 9 with patch 114586-02 or later
  • Solaris 10 with patch 126868-01 or later

x86 Platform

  • Solaris 8 with patch 138442-01 or later
  • Solaris 9 with patch 114587-02 or later
  • Solaris 10 with patch 126869-02 or later


Modification History
27-Jun-2008: Updated Contributing Factors and Resolution sections. Resolved.


References
 114586-02

 126868-01

 114587-02

 126869-02

 138441-01

 138442-01



                                    



Attachments
This solution has no attachment