USN-75-1: cpio vulnerability
Publication date
4 February 2005
Overview
cpio vulnerability
Releases
Details
Recently it was discovered that cpio created world-writeable files
when used in -o/--create mode with giving an output file (with -O).
This allowed any user to modify the created cpio archives. Now cpio
respects the current umask setting of the user.
Note: This vulnerability has already been fixed in a very old version
of cpio, but the fix was never ported to the current version.
Therefore the CAN number was assigned to the year 1999.
Recently it was discovered that cpio created world-writeable files
when used in -o/--create mode with giving an output file (with -O).
This allowed any user to modify the created cpio archives. Now cpio
respects the current umask setting of the user.
Note: This vulnerability has already been fixed in a very old version
of cpio, but the fix was never ported to the current version.
Therefore the CAN number was assigned to the year 1999.
Update instructions
In general, a standard system update will make all the necessary changes.
Learn more about how to get the fixes.The problem can be corrected by updating your system to the following package versions:
| Ubuntu Release | Package Version | ||
|---|---|---|---|
| 4.10 warty | cpio – | ||
Reduce your security exposure
Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.