Tags: security
Severity: grave
severity: important
After looking at the severities of other cpio bug reports that have
been around for hundreds of days, I concluded that this should be
important instead of normal.
tags: security
The docs suggest grave or critical for security bugs, but I'm not sure
whether that is appropriate.
Package: cpio
Version: 2.5-1.2
Severity: normal
Hi,
OK, several related issues here. You probably already see where I am
going, but please humor me for a minute just in case. Not sure if I'm
supposed to file with debian or with cpio's own bug lair.
I believe (IMHO) that this is a security
P.P.S. I found a more subtle security hole. It is even more dangerous.
/tmp/aaa$ mkdir ../b
/tmp/aaa$ ln -s ../b b
/tmp/aaa$ touch ../b/trojan
/tmp/aaa$ ls b
trojan
/tmp/aaa$ find b b/trojan
b
b/trojan
/tmp/aaa$ find b b/trojan | cpio -o dangerous
cpio: b: truncating inode number
cpio:
5 matches
Mail list logo