Bug 152891 - CAN-1999-1572 cpio broken file permissions
CAN-1999-1572 cpio broken file permissions
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: cpio (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
1, LEGACY, rh90
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-02-02 08:11 EST by David Lawrence
Modified: 2007-04-18 13:22 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-07-15 22:11:21 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Lawrence 2005-03-30 18:31:09 EST
from DSA-664 (http://www.debian.org/security/2005/dsa-664):
===
It has been discovered, that cpio, a program to manage archives of files,
creates output files with -O and -F with broken permissions due to a reset zero
umask which allows local users to read or overwrite those files.
===



------- Additional Comments From pekkas@netcore.fi 2005-02-18 08:47:24 ----

https://rhn.redhat.com/errata/RHSA-2005-080.html

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

New RPMs for QA for RHL9 and FC1:
 - This does not apply to RHL73, because it includes a patch from FreeBSD
already fixing this; this was removed in RHL9 and FC1.
 - I've also applied LFS patch (for >2GB files) because it came from RHEL3.

http://www.netcore.fi/pekkas/linux/cpio-2.5-3.1.legacy.src.rpm (RHL9)
http://www.netcore.fi/pekkas/linux/cpio-2.5-5.1.legacy.src.rpm (FC1)

28700e05726a60c0a2ae298ce06231b1e34d530c  cpio-2.5-3.1.legacy.src.rpm
8407312965e282a313b053cc6b68851b7e754eda  cpio-2.5-5.1.legacy.src.rpm

* Fri Feb 18 2005 Pekka Savola <pekkas@netcore.fi> 2.5-3.1.legacy
- - fix CAN-1999-1572 and add >2GB file support, from RHEL (#2408)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFCFjgBGHbTkzxSL7QRAv49AKCSrIcKNbbJc5jCZaiZ/AYWqN8fswCgy0V1
9fQXM2tKSW/oyfnmUClgEj0=
=fUqY
-----END PGP SIGNATURE-----




------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:31 -------

This bug previously known as bug 2408 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2408
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
The original reporter of this bug does not have
   an account here. Reassigning to the person who moved
   it here, dkl@redhat.com.
   Previous reporter was bugzilla.fedora.us@beej.org.
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.

Comment 1 John Dalbec 2005-04-29 12:25:27 EDT
05.17.19 CVE: CAN-2005-1229
Platform: Unix
Title: cpio Filename Directory Traversal
Description: cpio is an file compression/decompression utility. It is
prone to a directory traversal vulnerability. The issue manifests
itself when cpio is invoked on a malicious archive. A remote attacker
may leverage this issue using a malicious archive to corrupt arbitrary
files with the privileges of the user that is running the vulnerable
software.
Ref: http://www.securityfocus.com/archive/1/396429 
Comment 2 Matthew Miller 2005-05-05 14:44:37 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA for cpio-2.5-3.1.legacy.src.rpm for RHL9:

* only change to spec file is the addition of the
  patch to fix the security issue and the lfs
  support patch
* verified that these patches are bit-for-bit
  identical to the patches in the RHEL update
* package build and installs fine
* seems to run fine

+PUBLISH RHL9
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFCemlrz8vebpLJCdYRAv6tAJkB4qS8fMq2EP5pf4ljNE6pVfQHYwCdHvvK
19N3ENeF5cs1hfMjRF4HSAk=
=0+xz
-----END PGP SIGNATURE-----
Comment 3 Donald Maner 2005-06-18 17:06:27 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I performed QA on the FC1 package.

8407312965e282a313b053cc6b68851b7e754eda  cpio-2.5-5.1.legacy.src.rpm

Used rpm-build-compare to compare the above versions to the previous versions.

Patch additions are the umask patch and the LFS patches.

Patches are as expected.

specfile changes are adding the patches, adding 1.legacy to version, and adding
to changelog.

+PUBLISH FC1

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)

iD8DBQFCtIxHTnwK660bsQMRAj8BAJwKxhVAqqtdAXtSC9+IS0eymynBCQCeI6am
ksShJxYV2jXnfruawjadLho=
=By9l
-----END PGP SIGNATURE-----
Comment 4 Pekka Savola 2005-06-18 17:17:42 EDT
Thanks!
Comment 5 Marc Deslauriers 2005-06-20 06:43:45 EDT
Packages were pushed to updates-testing
Comment 6 Pekka Savola 2005-06-29 08:41:59 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Quick test on RHL9.  Make a few 'rpm2cpio' -> 'cpio -id' runs,
and cpio seemed to work OK.
 
+VERIFY RHL9
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFCwpb7GHbTkzxSL7QRAs4wAKC5bXf2vD12xnuDK/U26/hqz0AeaACfTWQ7
UZJGu7kS6ZVOMc1AG99mmE0=
=SEaw
-----END PGP SIGNATURE-----
Comment 7 Eric Jon Rostetter 2005-06-29 15:36:56 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
++VERIFY for RHL 9
 
Packages:
cpio-2.5-3.2.legacy.i386.rpm
 
SHA1 checksums all match test update advisory.  Signatures verify okay.
 
Before the update, I created an -O archive, and noted it was indeed created
with the incorrect permission (rw-rw-rw-) on the output file.
 
I then installed the update without any installation problems.  I ran
the same test but with a different output filename.  An ls on the output
file shows it now has correct permissions for my umask (rw-rw-r--). Archive
sizes match between the two runs, so output would seem reasonable, etc.
 
All worked as expected.  Saw no obvious problems or issues, and confirmed
that the change worked.
 
Vote for release for RHL 9. ++VERIFY
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
 
iD8DBQFCwvgP4jZRbknHoPIRAgsdAKCRdSY4qya+LgjGUCot0orj6uhCUgCghxvd
HvcDjiiZwyH1ne/ctotVe3A=
=99jB
-----END PGP SIGNATURE-----
Comment 8 Pekka Savola 2005-07-14 03:10:22 EDT
Timeout over.
Comment 9 Marc Deslauriers 2005-07-15 22:11:21 EDT
Packages were released to updates.

Note You need to log in before you can comment on or make changes to this bug.