From 3204849b3bef52d88cc74e08a06130ecb3e88977 Mon Sep 17 00:00:00 2001
From: Jakub Bogusz <qboosh@pld-linux.org>
Date: Tue, 21 Jun 2005 09:54:21 +0000
Subject: [PATCH] - CAN-2005-0953

Changed files:
    bzip2-toctou.patch -> 1.1
---
 bzip2-toctou.patch | 147 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 147 insertions(+)
 create mode 100644 bzip2-toctou.patch

diff --git a/bzip2-toctou.patch b/bzip2-toctou.patch
new file mode 100644
index 0000000..42cd3ba
--- /dev/null
+++ b/bzip2-toctou.patch
@@ -0,0 +1,147 @@
+From Debian:
+
+ * Fixed RC bug "file permissions modification race (CAN-2005-0953)", closes:
+   #303300. Patch by Santiago Ruano Rincon <santiago@unicauca.edu.co>.
+   Original patch available at
+   http://marc.theaimsgroup.com/?l=bugtraq&m=111352423504277&w=2
+
+--- bzip2-1.0.2.orig/bzip2.c
++++ bzip2-1.0.2/bzip2.c
+@@ -312,6 +312,7 @@
+ 
+ static void    copyFileName ( Char*, Char* );
+ static void*   myMalloc     ( Int32 );
++static int     applySavedFileAttrToOutputFile ( int fd );
+ 
+ 
+ 
+@@ -457,6 +458,10 @@
+    ret = fflush ( zStream );
+    if (ret == EOF) goto errhandler_io;
+    if (zStream != stdout) {
++      int fd = fileno ( zStream );
++      if (fd < 0) goto errhandler_io;
++      ret = applySavedFileAttrToOutputFile ( fd );
++      if (ret != 0) goto errhandler_io;
+       ret = fclose ( zStream );
+       outputHandleJustInCase = NULL;
+       if (ret == EOF) goto errhandler_io;
+@@ -567,6 +574,12 @@
+ 
+    closeok:
+    if (ferror(zStream)) goto errhandler_io;
++   if ( stream != stdout) {
++      int fd = fileno ( stream );
++      if (fd < 0) goto errhandler_io;
++      ret = applySavedFileAttrToOutputFile ( fd );
++      if (ret != 0) goto errhandler_io;
++   }
+    ret = fclose ( zStream );
+    if (ret == EOF) goto errhandler_io;
+ 
+@@ -1125,7 +1140,7 @@
+ 
+ 
+ static 
+-void applySavedMetaInfoToOutputFile ( Char *dstName )
++void applySavedTimeInfoToOutputFile ( Char *dstName )
+ {
+ #  if BZ_UNIX
+    IntNative      retVal;
+@@ -1134,16 +1149,26 @@
+    uTimBuf.actime = fileMetaInfo.st_atime;
+    uTimBuf.modtime = fileMetaInfo.st_mtime;
+ 
+-   retVal = chmod ( dstName, fileMetaInfo.st_mode );
+-   ERROR_IF_NOT_ZERO ( retVal );
+-
+    retVal = utime ( dstName, &uTimBuf );
+    ERROR_IF_NOT_ZERO ( retVal );
++#  endif
++}
+ 
+-   retVal = chown ( dstName, fileMetaInfo.st_uid, fileMetaInfo.st_gid );
++static
++int applySavedFileAttrToOutputFile ( int fd )
++{
++#  if BZ_UNIX
++   IntNative      retVal;
++
++   retVal = fchmod ( fd, fileMetaInfo.st_mode );
++   if (retVal != 0)
++       return retVal;
++
++   (void) fchown ( fd, fileMetaInfo.st_uid, fileMetaInfo.st_gid );
+    /* chown() will in many cases return with EPERM, which can
+       be safely ignored.
+    */
++   return 0;
+ #  endif
+ }
+ 
+@@ -1366,7 +1391,7 @@
+ 
+    /*--- If there was an I/O error, we won't get here. ---*/
+    if ( srcMode == SM_F2F ) {
+-      applySavedMetaInfoToOutputFile ( outName );
++      applySavedTimeInfoToOutputFile ( outName );
+       deleteOutputOnInterrupt = False;
+       if ( !keepInputFiles ) {
+          IntNative retVal = remove ( inName );
+@@ -1544,7 +1569,7 @@
+    /*--- If there was an I/O error, we won't get here. ---*/
+    if ( magicNumberOK ) {
+       if ( srcMode == SM_F2F ) {
+-         applySavedMetaInfoToOutputFile ( outName );
++         applySavedTimeInfoToOutputFile ( outName );
+          deleteOutputOnInterrupt = False;
+          if ( !keepInputFiles ) {
+             IntNative retVal = remove ( inName );
+--- bzip2-1.0.2.orig/bzip2recover.c
++++ bzip2-1.0.2/bzip2recover.c
+@@ -56,6 +56,8 @@
+ #include <errno.h>
+ #include <stdlib.h>
+ #include <string.h>
++#include <fcntl.h>
++#include <unistd.h>
+ 
+ 
+ /* This program records bit locations in the file to be recovered.
+@@ -301,6 +303,19 @@
+        name[n-1] == '2');
+ }
+ 
++/*---------------------------------------------*/
++/* Open an output file safely with O_EXCL and good permissions */
++FILE* fopen_output( Char* name, const char* mode )
++{
++  FILE *fp;
++  int   fh;
++   
++  fh = open(name, O_WRONLY|O_CREAT|O_EXCL, 0600);
++  if (fh == -1) return NULL;
++  fp = fdopen(fh, mode);
++  if (fp == NULL) close(fh);
++  return fp;
++}
+ 
+ /*---------------------------------------------------*/
+ /*---                                             ---*/
+@@ -338,6 +353,7 @@
+    Int32       b, wrBlock, currBlock, rbCtr;
+    MaybeUInt64 bitsRead;
+ 
++
+    UInt32      buffHi, buffLo, blockCRC;
+    Char*       p;
+ 
+@@ -518,7 +534,7 @@
+          fprintf ( stderr, "   writing block %d to `%s' ...\n",
+                            wrBlock+1, outFileName );
+ 
+-         outFile = fopen ( outFileName, "wb" );
++         outFile = fopen_output ( outFileName, "wb" );
+          if (outFile == NULL) {
+             fprintf ( stderr, "%s: can't write `%s'\n",
+                       progName, outFileName );
-- 
2.44.0