Package: cpio
Version: 2.5-1.2
Severity: normal
Tags: security

According to the advisory at
 http://marc.theaimsgroup.com/?l=bugtraq&m=111342664116120&w=2

  If a malicious local user has write access to a directory in which a
  target user is using cpio to extract or compress a file to then a
  TOCTOU bug can be exploited to change the permission of any file
  belonging to that user.

  On decompressing cpio copies the permissions from the compressed
  cpio file to the uncompressed file. However there is a gap between the
  uncompressed file being written (and it's file handler being close)
  and the permissions of the file being changed.

  During this gap a malicious user can remove the decompressed file and
  replace it with a hard-link to another file belonging to the user.
  cpio will then change the permissions on the  hard-linked file to be
  the same as that of the cpio file.

  The vulnerable line of code can be found on line 581 of the file
  copyin.c. cpio also use's chmod in a number of other places which may
  also be vulnerable to exploitation.

-- 
see shy jo

Attachment: signature.asc
Description: Digital signature

Reply via email to