[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: security bug in cp(1)
From: |
Paul Eggert |
Subject: |
Re: security bug in cp(1) |
Date: |
Fri, 17 Aug 2007 12:52:38 -0700 |
User-agent: |
Gnus/5.11 (Gnus v5.11) Emacs/22.1 (gnu/linux) |
Eric Blake <address@hidden> writes:
> According to Soren Spies on 8/16/2007 8:16 PM:
>> I just noticed that cp -p doesn't update the group on a file before
>> writing data into the target. That means that during the copy, users
>> you didn't intend to be able to read the file can read the file.
>
> This was already noticed and fixed in 6.9.
No, the 6.9 security bug was something different. The security bug
Soren Spies reported was fixed in coreutils 6.7; the NEWS file says
this bug affects 6.0 through 6.6, but I guess this is not quite right,
as it appears there's also a bug in 5.97.
Perhaps in response to Soren Spies's report, Alekx Bromfield filed a
Debian bug report, which you can track at
<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=438452>.
Maybe the NEWS file should be changed? Something like this?
2007-08-17 Paul Eggert <address@hidden>
* NEWS: The old cp -p bug affected coreutils releases before 6.0.
Problem reported by Soren Spies in
<http://lists.gnu.org/archive/html/bug-coreutils/2007-08/msg00106.html>.
To be conservative, just say the bug was in all versions through 6.6.
--- old/NEWS 2007-08-08 14:08:02.000000000 -0700
+++ new/NEWS 2007-08-17 12:50:12.000000000 -0700
@@ -206,7 +206,7 @@ GNU coreutils NEWS
Fix similar problems with cp options like -p that imply
--preserve=ownership, with install -d when combined with either -o
or -g, and with mv when copying across file system boundaries.
- This bug affects coreutils 6.0 through 6.6.
+ This bug affects all versions of coreutils through 6.6.
du --one-file-system (-x) would skip subdirectories of any directory
listed as second or subsequent command line argument. This bug affects