GNU bug report logs -
#12947
[brlink@debian.org: Bug#598018: install: temporary insecure file permissions]
Previous Next
Reported by: Samuel Bronson <naesten <at> gmail.com>
Date: Tue, 20 Nov 2012 19:07:01 UTC
Severity: normal
Tags: patch, security
Found in version 8.5
Done: Paul Eggert <eggert <at> cs.ucla.edu>
Bug is archived. No further changes may be made.
Full log
Message #16 received at 12947 <at> debbugs.gnu.org (full text, mbox):
On 11/20/2012 01:41 PM, Eric Blake wrote:
> This also needs a NEWS entry. I'm not sure how easy or hard it would be
> to write a test case, though.
Jim's the expert on writing test cases for race conditions.
Not sure that this one is worth a lot of work, though.
I pushed this NEWS patch:
From 791a9c05122a1031820eebf58c04c4f157e36cfd Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert <at> cs.ucla.edu>
Date: Tue, 20 Nov 2012 18:10:21 -0800
Subject: [PATCH] install: fix security race
* NEWS: Document this.
---
NEWS | 3 +++
1 file changed, 3 insertions(+)
diff --git a/NEWS b/NEWS
index 713f761..15fddd4 100644
--- a/NEWS
+++ b/NEWS
@@ -14,6 +14,9 @@ GNU coreutils NEWS -*- outline -*-
Instead, cut now fails and emits an appropriate diagnostic.
[This bug was present in "the beginning".]
+ install -m M SOURCE DEST no longer has a race condition where DEST's
+ permissions are temporarily derived from SOURCE instead of from M.
+
pr -n no longer crashes when passed values >= 32. Also line numbers are
consistently padded with spaces, rather than with zeros for certain widths.
[bug introduced in TEXTUTILS-1_22i]
--
1.7.11.7
This bug report was last modified 12 years and 182 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.