Red Hat Bugzilla – Bug 145721
CAN-1999-1572 cpio insecure file creation
Last modified: 2007-11-30 17:10:58 EST
*** This bug has been split off bug 145720 ***
------- Original comment by Josh Bressers (Security Response Team) on 2005.01.20
This is a very old issue. This message was posted to vendor-sec.
GNU cpio -oO appears to generate files with 0666 regardless of
the user's umask. This is true for both cpio 2.5 (RH, SuSE) and
and the (surprisingly 3x) larger cpio 2.6, but I haven't had the
chance to dig into the code yet or sync with the developers yet.
(If anyone else can gets to it before me, by all means...) cpio
has a need to toggle between a "0" umask and the original umask
depending on what it is doing, and gets it wrong in this case.
It's a long-known public issue in general -- earliest I can find
a record of it goes back to 1996, when the BSD folks fixed it:
and fixes against older GNU cpio were posted to gnu.utils.bugs
by The Written Word folks:
but it never seems to have gotten into newer GNU cpio versions.
This issue should also affect FC2.
Created attachment 110126 [details]
patch is excerpted from http://groups-beta.google.com/group/gnu.utils.bug/msg/4db088ee6031c9ec