Eric Blake <[EMAIL PROTECTED]> writes: > According to Soren Spies on 8/16/2007 8:16 PM: >> I just noticed that cp -p doesn't update the group on a file before >> writing data into the target. That means that during the copy, users >> you didn't intend to be able to read the file can read the file. > > This was already noticed and fixed in 6.9.
No, the 6.9 security bug was something different. The security bug Soren Spies reported was fixed in coreutils 6.7; the NEWS file says this bug affects 6.0 through 6.6, but I guess this is not quite right, as it appears there's also a bug in 5.97. Perhaps in response to Soren Spies's report, Alekx Bromfield filed a Debian bug report, which you can track at <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=438452>. Maybe the NEWS file should be changed? Something like this? 2007-08-17 Paul Eggert <[EMAIL PROTECTED]> * NEWS: The old cp -p bug affected coreutils releases before 6.0. Problem reported by Soren Spies in <http://lists.gnu.org/archive/html/bug-coreutils/2007-08/msg00106.html>. To be conservative, just say the bug was in all versions through 6.6. --- old/NEWS 2007-08-08 14:08:02.000000000 -0700 +++ new/NEWS 2007-08-17 12:50:12.000000000 -0700 @@ -206,7 +206,7 @@ GNU coreutils NEWS Fix similar problems with cp options like -p that imply --preserve=ownership, with install -d when combined with either -o or -g, and with mv when copying across file system boundaries. - This bug affects coreutils 6.0 through 6.6. + This bug affects all versions of coreutils through 6.6. du --one-file-system (-x) would skip subdirectories of any directory listed as second or subsequent command line argument. This bug affects _______________________________________________ Bug-coreutils mailing list Bug-coreutils@gnu.org http://lists.gnu.org/mailman/listinfo/bug-coreutils
