Red Hat Bugzilla – Bug 145725
CAN-1999-1572 cpio insecure file creation
Last modified: 2007-11-30 17:07:15 EST
*** This bug has been split off bug 145720 ***
------- Original comment by Josh Bressers (Security Response Team) on 2005.01.20
This is a very old issue. This message was posted to vendor-sec.
GNU cpio -oO appears to generate files with 0666 regardless of
the user's umask. This is true for both cpio 2.5 (RH, SuSE) and
and the (surprisingly 3x) larger cpio 2.6, but I haven't had the
chance to dig into the code yet or sync with the developers yet.
(If anyone else can gets to it before me, by all means...) cpio
has a need to toggle between a "0" umask and the original umask
depending on what it is doing, and gets it wrong in this case.
It's a long-known public issue in general -- earliest I can find
a record of it goes back to 1996, when the BSD folks fixed it:
and fixes against older GNU cpio were posted to gnu.utils.bugs
by The Written Word folks:
but it never seems to have gotten into newer GNU cpio versions.
Fix confirmed with cpio-2.5-7.EL4.1 which is part of RHSA-2005:073.
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.