Candidate: CAN-1999-1572 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1572 Reference: MISC:http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/1391 cpio on FreeBSD 2.1.0, and possibly other operating systems, uses a 0 umask when creating files using the -O (archive) option, which creates the files with mode 0666 and allows local users to read or overwrite those files.
Vapier please check and advise.
example test shows same misbehavior with cpio-2.6
2.6-r1 has the tiny patch to fix this ... i guess if we want to consider this as a serious issue, we'll need the arch guys come in and push 2.6-r1 to stable ... we've had 2.5.90 since Dec 17 2004 and the actual 2.6 release since Jan 03 2005 ... all known issues were fixed with the 2.6 release so it should be a sane candidate for stable i also filed a bug with upstream GNU cpio to have this added upstream
Thx spanKY, please mark stable for sh. Arches please test and mark 2.6-r1 stable.
stable on ppc64
Stable on ppc.
stable on amd64
Stable on sparc.
arm/hppa/ia64/s390/sh/x86 stable
Stable on alpha.
Please vote on GLSA... I don't think one is needed. Yes it's a bug leading to errors but I don't see where it's a vulnerability...
Debian released an advisory: http://www.debian.org/security/2005/dsa-664
Ubuntu released one too: http://www.ubuntulinux.org/support/documentation/usn/usn-75-1 Security please vote!
I slightly tend towards a GLSA, especially since Debian and Ubuntu published one and a CAN (CAN-1999-1572) exists too. Although it's not too big of a thing. So maybe half a vote towards a GLSA ;-)
I give 1/4 of a vote towards a GLSA. So vorlon and I now have 3/4's of a real vote!
Let's consider that lewk+vorlon makes one YES, and my vote one NO. jaervosz, you decide (after all, it's your draft).
I won't cast a vote here -> closing without GLSA. If anyone disagree feel free to reopen.
mips stable.