[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: security bug in cp(1)

From: Paul Eggert
Subject: Re: security bug in cp(1)
Date: Fri, 17 Aug 2007 12:52:38 -0700
User-agent: Gnus/5.11 (Gnus v5.11) Emacs/22.1 (gnu/linux)

Eric Blake <address@hidden> writes:

> According to Soren Spies on 8/16/2007 8:16 PM:
>> I just noticed that cp -p doesn't update the group on a file before
>> writing data into the target.  That means that during the copy, users
>> you didn't intend to be able to read the file can read the file.
> This was already noticed and fixed in 6.9.

No, the 6.9 security bug was something different.  The security bug
Soren Spies reported was fixed in coreutils 6.7; the NEWS file says
this bug affects 6.0 through 6.6, but I guess this is not quite right,
as it appears there's also a bug in 5.97.

Perhaps in response to Soren Spies's report, Alekx Bromfield filed a
Debian bug report, which you can track at

Maybe the NEWS file should be changed?  Something like this?

2007-08-17  Paul Eggert  <address@hidden>

        * NEWS: The old cp -p bug affected coreutils releases before 6.0.
        Problem reported by Soren Spies in
        To be conservative, just say the bug was in all versions through 6.6.

--- old/NEWS    2007-08-08 14:08:02.000000000 -0700
+++ new/NEWS    2007-08-17 12:50:12.000000000 -0700
@@ -206,7 +206,7 @@ GNU coreutils NEWS                      
   Fix similar problems with cp options like -p that imply
   --preserve=ownership, with install -d when combined with either -o
   or -g, and with mv when copying across file system boundaries.
-  This bug affects coreutils 6.0 through 6.6.
+  This bug affects all versions of coreutils through 6.6.
   du --one-file-system (-x) would skip subdirectories of any directory
   listed as second or subsequent command line argument.  This bug affects

reply via email to

[Prev in Thread] Current Thread [Next in Thread]