Bug 163096

Summary: cpio - CAN-2005-1111 race and CAN-2005-1229 directory traversal issues
Product: [Retired] Fedora Legacy Reporter: Michal Jaegermann <michal>
Component: cpioAssignee: Fedora Legacy Bugs <bugs>
Status: CLOSED CANTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: deisenst
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-04-12 00:36:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michal Jaegermann 2005-07-12 20:36:20 UTC 
Description of problem:

Bug #155751 and bug #156314 describe problems detailed in CAN-2005-1111
and CAN-2005-1229.  This is different than bug #152891.  A version of cpio
with these fixed is included in FC4 set.

For RHEL 7.3 there is a new source package at
ftp://ftp.harddata.com/pub/Legacy_srpms/cpio-2.4.2-26.1hd.src.rpm
with two patches "ported" from cpio-2.6-7 (FC4).  This changes semantics.
An old '--no-absolute-filenames' is still recognized, although not documented,
but this is a default which can be changed with new '--absolute-filenames'.

These issues affect all other versions of cpio below 2.6-7.
Comment 1 David Eisenstein 2007-04-12 00:36:10 UTC 
Red Hat Linux and Fedora Core releases <=4 are now completely unmaintained.
These bugs can't be fixed in these versions.  If the issue still persists in
current Fedora Core releases, please reopen.  Thank you, and sorry about this.