compress utilities

Robert Connolly robert at linuxfromscratch.org
Thu Sep 7 19:19:01 PDT 2006


From 'man 1 gzexe':
CAVEATS
The compressed executable is a shell  script. This may create some security
holes. In particular, the compressed executable relies on the PATH environment
variable to find gzip and some other utilities (tail, chmod, ln, sleep).

This doesn't seem to be a caveat anymore. All the programs in the compressed 
executable script have an explicit path.

And, from 'man 1 gzexe':
BUGS
gzexe attempts to retain the original file attributes on the compressed  
executable,  but  you  may  have to fix them manually in some cases, using 
chmod or chown.

The vanilla GNU gzexe script seems to not change permissions.

In:
http://www.openbsd.org/cgi-bin/cvsweb/~checkout~/src/usr.bin/compress/gzexe

permissions are reset with 'chmod u+x'

The BUGS doesn't mention the temp race vulnerability fixed by the Owl 
hardened-tmp patch, and obsd's gzexe.

Attached is a patch to obsd's gzexe to make it work with Linux (also 
substitute /usr/bin/mktemp with /bin/mktemp with recent hlfs), because we put 
gzip in /bin, and Linux's stat(1) uses a different switch for the format 
option. The patch also fixes a posix bug with tail(1) which also exists in 
the GNU version, and is being reported to LFS trac.

robert
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gzexe.diff
Type: text/x-diff
Size: 1149 bytes
Desc: not available
URL: <http://lists.linuxfromscratch.org/pipermail/hlfs-dev/attachments/20060907/5495309d/attachment.diff>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.linuxfromscratch.org/pipermail/hlfs-dev/attachments/20060907/5495309d/attachment.sig>


More information about the hlfs-dev mailing list