Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 155749 - CVE-2005-1111 Race condition in cpio
Summary: CVE-2005-1111 Race condition in cpio
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: cpio
Version: 4.0
Hardware: All
OS: Linux
Target Milestone: ---
: ---
Assignee: Peter Vrabec
QA Contact: Brock Organ
Whiteboard: impact=moderate,public=20050413,sourc...
Depends On:
TreeView+ depends on / blocked
Reported: 2005-04-22 18:45 UTC by Josh Bressers
Modified: 2007-11-30 22:07 UTC (History)
1 user (show)

Fixed In Version: RHSA-2005:378
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2006-04-30 02:51:31 UTC
Target Upstream Version:

Attachments (Terms of Use)
Proposed patch from Steve Grubb (deleted)
2005-04-29 13:44 UTC, Mark J. Cox
no flags Details | Diff
I suggest to use this patch. (deleted)
2005-07-01 09:38 UTC, Peter Vrabec
no flags Details | Diff

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2005:378 normal SHIPPED_LIVE Low: cpio security update 2005-07-21 04:00:00 UTC

Description Josh Bressers 2005-04-22 18:45:45 UTC
Race condition in cpio 2.6 and earlier allows local users to modify permissions
of arbitrary files via a hard link attack on a file while it is being
decompressed, whose permissions are changed by cpio after the decompression is

Comment 1 Josh Bressers 2005-04-22 18:50:20 UTC
This issue should also affect RHEL2.1 and RHEL3.

Comment 2 Mark J. Cox 2005-04-29 13:44:08 UTC
Created attachment 113839 [details]
Proposed patch from Steve Grubb

Comment 3 Peter Vrabec 2005-07-01 09:38:30 UTC
Created attachment 116230 [details]
I suggest to use this patch.

Steve's patch doesn't solve race condition on directories. My fix use mode 0700
for dir creation, which close some more holes.

Comment 5 Josh Bressers 2005-09-30 15:05:31 UTC
We have not released an update for this issue on RHEL2.1 yet.  RHEL3 and RHEL4
were fixed in RHSA-2005:378

Comment 7 Bastien Nocera 2005-10-03 10:08:13 UTC
The RHEL 2.1 bug in being tracked in bug #169760

Note You need to log in before you can comment on or make changes to this bug.