Red Hat Bugzilla – Bug 156399
CAN-1999-1572 cpio insecure file creation
Last modified: 2007-11-30 17:07:17 EST
+++ This bug was initially created as a clone of Bug #145720 +++
This is a very old issue. This message was posted to vendor-sec.
GNU cpio -oO appears to generate files with 0666 regardless of
the user's umask. This is true for both cpio 2.5 (RH, SuSE) and
and the (surprisingly 3x) larger cpio 2.6, but I haven't had the
chance to dig into the code yet or sync with the developers yet.
(If anyone else can gets to it before me, by all means...) cpio
has a need to toggle between a "0" umask and the original umask
depending on what it is doing, and gets it wrong in this case.
It's a long-known public issue in general -- earliest I can find
a record of it goes back to 1996, when the BSD folks fixed it:
and fixes against older GNU cpio were posted to gnu.utils.bugs
by The Written Word folks:
but it never seems to have gotten into newer GNU cpio versions.
I think this is already fixed in
You're right, thanks for the catch.