Hi,
We've had a bug reported against the version of gzip that we ship in
Solaris:
"The gzcmp and gzdiff (same script hardlinked) commands shipped with
Solaris
write to a file in the world writable directory '/tmp' if both of its
arguments are compressed files. 'set -C' is used to ensure that the file
doesn't already exist when it's being written to (which prevents a
symlink-based attack), but that allows a mild Denial of Service by creating
this file in advance, which would therefore cause gzcmp / gzdiff to abort.
set -C
trap 'rm -f /tmp/"$F".$$; exit 2' 1 2 13
15 0
gzip -cdfq "$2" > /tmp/"$F".$$ || exit
gznew is similarly impacted:
tmp=/tmp/zfoo.$$
set -C
echo hi > $tmp.1
echo hi > $tmp.2
While it's arguably unlikely that these issues would ever be exploited,
it is suggested that it would be better for these commands to use mktemp."
Thanks.
