79844 2005-01-28 07:07 0000 app-arch/cpio possible permission issue 2005-02-06 18:38:03 0000 1 Unclassified Gentoo Security Vulnerabilities unspecified All All RESOLVED FIXED http://savannah.gnu.org/patch/index.php?func=detailitem&item_id=3690 A4 [noglsa] jaervosz P2 normal --- 1 jaervosz@gentoo.org security@gentoo.org ppc-macos@gentoo.org jaervosz@gentoo.org 2005-01-28 07:07:24 0000 Candidate: CAN-1999-1572 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1572 Reference: MISC:http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/1391 cpio on FreeBSD 2.1.0, and possibly other operating systems, uses a 0 umask when creating files using the -O (archive) option, which creates the files with mode 0666 and allows local users to read or overwrite those files. jaervosz@gentoo.org 2005-01-28 07:07:53 0000 Vapier please check and advise. vapier@gentoo.org 2005-01-28 20:20:27 0000 example test shows same misbehavior with cpio-2.6 vapier@gentoo.org 2005-01-28 20:53:43 0000 2.6-r1 has the tiny patch to fix this ... i guess if we want to consider this as a serious issue, we'll need the arch guys come in and push 2.6-r1 to stable ... we've had 2.5.90 since Dec 17 2004 and the actual 2.6 release since Jan 03 2005 ... all known issues were fixed with the 2.6 release so it should be a sane candidate for stable i also filed a bug with upstream GNU cpio to have this added upstream jaervosz@gentoo.org 2005-01-28 23:13:07 0000 Thx spanKY, please mark stable for sh. Arches please test and mark 2.6-r1 stable. corsair@gentoo.org 2005-01-29 00:48:41 0000 stable on ppc64 hansmi@gentoo.org 2005-01-29 02:15:54 0000 Stable on ppc. luckyduck@gentoo.org 2005-01-29 07:51:40 0000 stable on amd64 weeve@gentoo.org 2005-01-29 09:43:44 0000 Stable on sparc. vapier@gentoo.org 2005-01-29 19:51:20 0000 arm/hppa/ia64/s390/sh/x86 stable kloeri@gentoo.org 2005-01-30 11:34:53 0000 Stable on alpha. koon@gentoo.org 2005-01-31 13:42:46 0000 Please vote on GLSA... I don't think one is needed. Yes it's a bug leading to errors but I don't see where it's a vulnerability... jaervosz@gentoo.org 2005-02-02 11:03:18 0000 Debian released an advisory: http://www.debian.org/security/2005/dsa-664 jaervosz@gentoo.org 2005-02-04 04:15:04 0000 Ubuntu released one too: http://www.ubuntulinux.org/support/documentation/usn/usn-75-1 Security please vote! vorlon@gentoo.org 2005-02-04 04:21:22 0000 I slightly tend towards a GLSA, especially since Debian and Ubuntu published one and a CAN (CAN-1999-1572) exists too. Although it's not too big of a thing. So maybe half a vote towards a GLSA ;-) lewk@gentoo.org 2005-02-04 05:10:20 0000 I give 1/4 of a vote towards a GLSA. So vorlon and I now have 3/4's of a real vote! koon@gentoo.org 2005-02-04 08:50:47 0000 Let's consider that lewk+vorlon makes one YES, and my vote one NO. jaervosz, you decide (after all, it's your draft). jaervosz@gentoo.org 2005-02-04 12:23:46 0000 I won't cast a vote here -> closing without GLSA. If anyone disagree feel free to reopen. kumba@gentoo.org 2005-02-06 18:38:03 0000 mips stable.