Hi all, I've just uploaded cpio to version 2.6 and noticed that the security bug http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1572 seems not to have been fixed.
> umask 0002 > ./cpio-2.6/src/cpio -o < /tmp/flist -O /tmp/cpio-arch.cpio > ls -l /tmp/cpio-arch.cpio -rw-rw-rw- �1 davide davide 512 2005-03-10 15:06 /tmp/cpio-arch.cpio I've attached the Debian patch ported to cpio 2.6. Greetings. #include <best/regards.h> --- Davide Madrisan QiLinux Security Team Leader - - http://www.qilinux.it PGP keyID: 0x4B72B0B9 fp: 2B79 BFF1 EE33 EE8C 3258 E43C CDA8 EFF3 4B72 B0B9 PGP public key: <http://pgp.mit.edu/>
diff -pur cpio-2.6/src/extern.h cpio-2.6-fix/src/extern.h
--- cpio-2.6/src/extern.h 2004-09-08 10:49:57.000000000 +0000
+++ cpio-2.6-fix/src/extern.h 2005-03-10 14:45:20.000000000 +0000
@@ -91,6 +91,7 @@ extern char output_is_special;
extern char input_is_seekable;
extern char output_is_seekable;
extern char *program_name;
+extern mode_t sys_umask;
extern int (*xstat) ();
extern void (*copy_function) ();
diff -pur cpio-2.6/src/global.c cpio-2.6-fix/src/global.c
--- cpio-2.6/src/global.c 2004-09-08 10:23:44.000000000 +0000
+++ cpio-2.6-fix/src/global.c 2005-03-10 14:47:11.000000000 +0000
@@ -195,6 +195,9 @@ bool to_stdout_option = false;
/* The name this program was run with. */
char *program_name;
+/* Debian hack to make the -O option honor the umask. */
+mode_t sys_umask;
+
/* A pointer to either lstat or stat, depending on whether
dereferencing of symlinks is done for input files. */
int (*xstat) ();
diff -pur cpio-2.6/src/main.c cpio-2.6-fix/src/main.c
--- cpio-2.6/src/main.c 2004-11-23 00:42:18.000000000 +0000
+++ cpio-2.6-fix/src/main.c 2005-03-10 14:37:06.000000000 +0000
@@ -740,7 +740,6 @@ main (int argc, char *argv[])
textdomain (PACKAGE);
program_name = argv[0];
- umask (0);
#ifdef __TURBOC__
_fmode = O_BINARY; /* Put stdin and stdout in binary mode. */
@@ -751,6 +750,7 @@ main (int argc, char *argv[])
#endif
process_args (argc, argv);
+ sys_umask = umask (0);
initialize_buffers ();
pgpXj0mecreBb.pgp
Description: PGP signature
_______________________________________________ Bug-cpio mailing list [email protected] http://lists.gnu.org/mailman/listinfo/bug-cpio
