GNU bug report logs - #12947
[brlink@debian.org: Bug#598018: install: temporary insecure file permissions]

Previous Next

Package: coreutils;

Reported by: Samuel Bronson <naesten <at> gmail.com>

Date: Tue, 20 Nov 2012 19:07:01 UTC

Severity: normal

Tags: patch, security

Found in version 8.5

Done: Paul Eggert <eggert <at> cs.ucla.edu>

Bug is archived. No further changes may be made.

Full log

Message #13 received at 12947 <at> debbugs.gnu.org (full text, mbox):

From: Eric Blake <eblake <at> redhat.com>
To: 12947 <at> debbugs.gnu.org, eggert <at> cs.ucla.edu, naesten <at> gmail.com
Subject: Re: bug#12947: [brlink <at> debian.org: Bug#598018: install: temporary
	insecure file permissions]
Date: Tue, 20 Nov 2012 14:41:52 -0700

[Message part 1 (text/plain, inline)]
On 11/20/2012 02:20 PM, Paul Eggert wrote:
> Thanks, I installed this patch into the coreutils master branch,
> and I'm marking the upstream coreutils bug as done.
> 
>>From 7ee71d9ddad1435bbea00779bcd4c62482ea3473 Mon Sep 17 00:00:00 2001
> From: Paul Eggert <eggert <at> cs.ucla.edu>
> Date: Tue, 20 Nov 2012 13:15:34 -0800
> Subject: [PATCH] install: fix security race
> 
> * src/copy.c (copy_internal): Use DST_MODE_BITS, not SRC_MODE.
> See Bernhard R. Link in <http://bugs.gnu.org/12947> and in
> <http://bugs.debian.org/598018>.
> ---
>  src/copy.c | 9 +++++++--
>  1 file changed, 7 insertions(+), 2 deletions(-)

This also needs a NEWS entry.  I'm not sure how easy or hard it would be
to write a test case, though.

-- 
Eric Blake   eblake <at> redhat.com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org


[signature.asc (application/pgp-signature, attachment)]
This bug report was last modified 12 years and 183 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.