Bug 152891
| Summary: | CAN-1999-1572 cpio broken file permissions | ||
|---|---|---|---|
| Product: | [Retired] Fedora Legacy | Reporter: | David Lawrence <dkl> |
| Component: | cpio | Assignee: | Fedora Legacy Bugs <bugs> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | donjr, jpdalbec, mattdm, pekkas |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | 1, LEGACY, rh90 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2005-07-16 02:11:21 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
David Lawrence
2005-03-30 23:31:09 UTC
05.17.19 CVE: CAN-2005-1229 Platform: Unix Title: cpio Filename Directory Traversal Description: cpio is an file compression/decompression utility. It is prone to a directory traversal vulnerability. The issue manifests itself when cpio is invoked on a malicious archive. A remote attacker may leverage this issue using a malicious archive to corrupt arbitrary files with the privileges of the user that is running the vulnerable software. Ref: http://www.securityfocus.com/archive/1/396429 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA for cpio-2.5-3.1.legacy.src.rpm for RHL9: * only change to spec file is the addition of the patch to fix the security issue and the lfs support patch * verified that these patches are bit-for-bit identical to the patches in the RHEL update * package build and installs fine * seems to run fine +PUBLISH RHL9 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFCemlrz8vebpLJCdYRAv6tAJkB4qS8fMq2EP5pf4ljNE6pVfQHYwCdHvvK 19N3ENeF5cs1hfMjRF4HSAk= =0+xz -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I performed QA on the FC1 package. 8407312965e282a313b053cc6b68851b7e754eda cpio-2.5-5.1.legacy.src.rpm Used rpm-build-compare to compare the above versions to the previous versions. Patch additions are the umask patch and the LFS patches. Patches are as expected. specfile changes are adding the patches, adding 1.legacy to version, and adding to changelog. +PUBLISH FC1 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) iD8DBQFCtIxHTnwK660bsQMRAj8BAJwKxhVAqqtdAXtSC9+IS0eymynBCQCeI6am ksShJxYV2jXnfruawjadLho= =By9l -----END PGP SIGNATURE----- Thanks! Packages were pushed to updates-testing -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Quick test on RHL9. Make a few 'rpm2cpio' -> 'cpio -id' runs, and cpio seemed to work OK. +VERIFY RHL9 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFCwpb7GHbTkzxSL7QRAs4wAKC5bXf2vD12xnuDK/U26/hqz0AeaACfTWQ7 UZJGu7kS6ZVOMc1AG99mmE0= =SEaw -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ++VERIFY for RHL 9 Packages: cpio-2.5-3.2.legacy.i386.rpm SHA1 checksums all match test update advisory. Signatures verify okay. Before the update, I created an -O archive, and noted it was indeed created with the incorrect permission (rw-rw-rw-) on the output file. I then installed the update without any installation problems. I ran the same test but with a different output filename. An ls on the output file shows it now has correct permissions for my umask (rw-rw-r--). Archive sizes match between the two runs, so output would seem reasonable, etc. All worked as expected. Saw no obvious problems or issues, and confirmed that the change worked. Vote for release for RHL 9. ++VERIFY -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFCwvgP4jZRbknHoPIRAgsdAKCRdSY4qya+LgjGUCot0orj6uhCUgCghxvd HvcDjiiZwyH1ne/ctotVe3A= =99jB -----END PGP SIGNATURE----- Timeout over. Packages were released to updates. |