Package: pbzip2
Version: 1.1.1-1
Severity: important
while pbzip2 is writing compressed data to a file, the output file is
world-readable because my umask is 022. After completing compression
pbzip chmods the output file to the permissions of the input file.
% time pbzip2 -v big
...
Input Size: 104857600 bytes
Compressing data...
^Z
% ls -l
...
-rw------- 1 adi adi 104857600 Jul 8 01:11 big
-rw-r--r-- 1 adi adi 8273 Jul 8 01:11 big.bz2
This can expose private data to other users of the computer if they read
the output file while it's being compressed.
The stock bzip2 program does not show this behavior (testing with bzip2
1.0.5-6).
% time bzip2 -v big
big: ^Z
% ls -l
...
-rw------- 1 adi adi 104857600 Jul 8 01:12 big
-rw------- 1 adi adi 0 Jul 8 01:13 big.bz2
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.0.0-rc4-00185-g947d5e7 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages pbzip2 depends on:
ii libbz2-1.0 1.0.5-6 high-quality block-sorting file co
ii libc6 2.13-6 Embedded GNU C Library: Shared lib
ii libgcc1 1:4.6.0-12 GCC support library
ii libstdc++6 4.6.0-12 GNU Standard C++ Library v3
pbzip2 recommends no packages.
pbzip2 suggests no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
