• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: CPIO CHMod File Permission Modification Race Condition Weakness

Severity: LOW

Description:

The cpio utility is an open-source file compression/decompression utility for UNIX and Linux variants.

The cpio utility is prone to a security weakness. The issue occurs only when an archive is extracted into a world- or group-writeable directory. Reportedly, cpio employs non-atomic procedures to write a file and later change the permissions on the newly extracted file.

Specifically, when a file is opened, a call to 'chmod()' is made on the newly created filename. This occurs when a user chooses to preserve file permissions that are taken from the file properties of the compressed file. Because this is not an atomic action, a window of opportunity is created for a local attacker.

If an attacker replaces the file that is getting created by cpio with a hardlink to an alternate target file before the 'chmod()' function is called, the 'chmod()' operation will change the permissions on the hardlinked file.

This weakness likely affects many applications that process files. A more proper method to modify the file permissions in this case would be to use 'fchmod()' to operate on the file handle rather than on the filename.

This weakness affects cpio version 2.6 and previous versions.

Affected Products:

• Avaya Intuity Audix R5
• Conectiva Linux 10.0.0
• Debian Linux 3.0.0
• Debian Linux 3.0.0 alpha
• Debian Linux 3.0.0 arm
• Debian Linux 3.0.0 hppa
• Debian Linux 3.0.0 ia-32
• Debian Linux 3.0.0 ia-64
• Debian Linux 3.0.0 m68k
• Debian Linux 3.0.0 mips
• Debian Linux 3.0.0 mipsel
• Debian Linux 3.0.0 ppc
• Debian Linux 3.0.0 s/390
• Debian Linux 3.0.0 sparc
• Debian Linux 3.1.0
• FreeBSD FreeBSD -current
• FreeBSD FreeBSD 2.x
• FreeBSD FreeBSD 3.x
• FreeBSD FreeBSD 4.0.0
• FreeBSD FreeBSD 4.0.0 -RELENG
• FreeBSD FreeBSD 4.0.0 .x
• FreeBSD FreeBSD 4.0.0 alpha
• FreeBSD FreeBSD 4.1.0
• FreeBSD FreeBSD 4.1.1
• FreeBSD FreeBSD 4.1.1 -RELEASE
• FreeBSD FreeBSD 4.1.1 -STABLE
• FreeBSD FreeBSD 4.10.0
• FreeBSD FreeBSD 4.10.0 -RELEASE
• FreeBSD FreeBSD 4.10.0 -RELEASE-p8
• FreeBSD FreeBSD 4.10.0 -RELENG
• FreeBSD FreeBSD 4.11.0 -RELEASE-p3
• FreeBSD FreeBSD 4.11.0 -RELENG
• FreeBSD FreeBSD 4.11.0 -STABLE
• FreeBSD FreeBSD 4.2.0
• FreeBSD FreeBSD 4.2.0 -RELEASE
• FreeBSD FreeBSD 4.2.0 -STABLE
• FreeBSD FreeBSD 4.2.0 -STABLEpre050201
• FreeBSD FreeBSD 4.2.0 -STABLEpre122300
• FreeBSD FreeBSD 4.3.0
• FreeBSD FreeBSD 4.3.0 -RELEASE
• FreeBSD FreeBSD 4.3.0 -RELEASE-p38
• FreeBSD FreeBSD 4.3.0 -RELENG
• FreeBSD FreeBSD 4.3.0 -STABLE
• FreeBSD FreeBSD 4.4.0
• FreeBSD FreeBSD 4.4.0 -RELEASE-p42
• FreeBSD FreeBSD 4.4.0 -RELENG
• FreeBSD FreeBSD 4.4.0 -RELENG
• FreeBSD FreeBSD 4.4.0 -STABLE
• FreeBSD FreeBSD 4.5.0
• FreeBSD FreeBSD 4.5.0 -RELEASE
• FreeBSD FreeBSD 4.5.0 -RELEASE-p32
• FreeBSD FreeBSD 4.5.0 -RELENG
• FreeBSD FreeBSD 4.5.0 -STABLE
• FreeBSD FreeBSD 4.5.0 -STABLEpre2002-03-07
• FreeBSD FreeBSD 4.6.0
• FreeBSD FreeBSD 4.6.0 -RELEASE
• FreeBSD FreeBSD 4.6.0 -RELEASE-p20
• FreeBSD FreeBSD 4.6.0 -RELENG
• FreeBSD FreeBSD 4.6.0 -STABLE
• FreeBSD FreeBSD 4.6.2
• FreeBSD FreeBSD 4.7.0
• FreeBSD FreeBSD 4.7.0 -RELEASE
• FreeBSD FreeBSD 4.7.0 -RELEASE-p17
• FreeBSD FreeBSD 4.7.0 -RELENG
• FreeBSD FreeBSD 4.7.0 -STABLE
• FreeBSD FreeBSD 4.8.0
• FreeBSD FreeBSD 4.8.0 -PRERELEASE
• FreeBSD FreeBSD 4.8.0 -RELEASE-p7
• FreeBSD FreeBSD 4.8.0 -RELENG
• FreeBSD FreeBSD 4.9.0
• FreeBSD FreeBSD 4.9.0 -PRERELEASE
• FreeBSD FreeBSD 4.9.0 -RELENG
• FreeBSD FreeBSD 5.0.0
• FreeBSD FreeBSD 5.0.0 -RELEASE-p14
• FreeBSD FreeBSD 5.0.0 -RELENG
• FreeBSD FreeBSD 5.0.0 alpha
• FreeBSD FreeBSD 5.1.0
• FreeBSD FreeBSD 5.1.0 -RELEASE
• FreeBSD FreeBSD 5.1.0 -RELEASE-p5
• FreeBSD FreeBSD 5.1.0 -RELEASE/Alpha
• FreeBSD FreeBSD 5.1.0 -RELENG
• FreeBSD FreeBSD 5.2.0
• FreeBSD FreeBSD 5.2.0 -RELEASE
• FreeBSD FreeBSD 5.2.0 -RELENG
• FreeBSD FreeBSD 5.2.1 -RELEASE
• FreeBSD FreeBSD 5.3.0
• FreeBSD FreeBSD 5.3.0 -RELEASE
• FreeBSD FreeBSD 5.3.0 -RELENG
• FreeBSD FreeBSD 5.3.0 -STABLE
• FreeBSD FreeBSD 5.4.0 -PRERELEASE
• FreeBSD FreeBSD 5.4.0 -RELEASE
• FreeBSD FreeBSD 5.4.0 -RELENG
• FreeBSD FreeBSD 6.0.0 -RELEASE
• FreeBSD FreeBSD 6.0.0 -STABLE
• GNU cpio 1.0.0
• GNU cpio 1.1.0
• GNU cpio 1.2.0
• GNU cpio 1.3.0
• GNU cpio 2.4.2
• GNU cpio 2.5.0
• GNU cpio 2.5.90
• GNU cpio 2.6.0
• Gentoo Linux
• Linux kernel 2.4.19
• Linux kernel 2.4.21
• Linux kernel 2.6.5
• MandrakeSoft Corporate Server 2.1.0
• MandrakeSoft Corporate Server 2.1.0 x86_64
• MandrakeSoft Corporate Server 3.0.0
• MandrakeSoft Corporate Server 3.0.0 x86_64
• MandrakeSoft Linux Mandrake 10.0.0
• MandrakeSoft Linux Mandrake 10.0.0 amd64
• MandrakeSoft Linux Mandrake 10.1.0
• MandrakeSoft Linux Mandrake 10.1.0 x86_64
• MandrakeSoft Linux Mandrake 10.2.0
• MandrakeSoft Linux Mandrake 10.2.0 x86_64
• MandrakeSoft Linux Mandrake 2006.0.0
• MandrakeSoft Linux Mandrake 2006.0.0 x86_64
• MandrakeSoft Linux Mandrake 9.1.0
• MandrakeSoft Linux Mandrake 9.1.0 ppc
• MandrakeSoft Linux Mandrake 9.2.0
• MandrakeSoft Linux Mandrake 9.2.0 amd64
• RedHat Advanced Workstation for the Itanium Processor 2.1.0
• RedHat Advanced Workstation for the Itanium Processor 2.1.0 IA64
• RedHat Desktop 3.0.0
• RedHat Desktop 4.0.0
• RedHat Enterprise Linux AS 2.1
• RedHat Enterprise Linux AS 2.1 IA64
• RedHat Enterprise Linux AS 3
• RedHat Enterprise Linux AS 4
• RedHat Enterprise Linux ES 2.1
• RedHat Enterprise Linux ES 2.1 IA64
• RedHat Enterprise Linux ES 3
• RedHat Enterprise Linux ES 4
• RedHat Enterprise Linux WS 2.1
• RedHat Enterprise Linux WS 2.1 IA64
• RedHat Enterprise Linux WS 3
• RedHat Enterprise Linux WS 4
• S.u.S.E. Linux Desktop 1.0.0
• S.u.S.E. Linux Enterprise Server 8
• S.u.S.E. Linux Enterprise Server 9
• S.u.S.E. Linux Personal 10.0.0 OSS
• S.u.S.E. Linux Personal 8.2.0
• S.u.S.E. Linux Personal 9.0.0
• S.u.S.E. Linux Personal 9.0.0 x86_64
• S.u.S.E. Linux Personal 9.1.0
• S.u.S.E. Linux Personal 9.1.0 x86_64
• S.u.S.E. Linux Personal 9.2.0
• S.u.S.E. Linux Personal 9.2.0 x86_64
• S.u.S.E. Linux Personal 9.3.0
• S.u.S.E. Linux Personal 9.3.0 x86_64
• S.u.S.E. Linux Professional 10.0.0 OSS
• S.u.S.E. Linux Professional 8.2.0
• S.u.S.E. Linux Professional 9.0.0
• S.u.S.E. Linux Professional 9.0.0 x86_64
• S.u.S.E. Linux Professional 9.1.0
• S.u.S.E. Linux Professional 9.1.0 x86_64
• S.u.S.E. Linux Professional 9.2.0
• S.u.S.E. Linux Professional 9.2.0 x86_64
• S.u.S.E. Linux Professional 9.3.0
• S.u.S.E. Linux Professional 9.3.0 x86_64
• S.u.S.E. Novell Linux Desktop 9.0.0
• S.u.S.E. Open-Enterprise-Server 9.0.0
• S.u.S.E. SUSE LINUX Retail Solution 8.0.0
• S.u.S.E. SuSE Linux Openexchange Server 4.0.0
• S.u.S.E. SuSE Linux School Server for i386
• S.u.S.E. SuSE Linux Standard Server 8.0.0
• SCO Open Server 5.0.7
• SCO Open Server 6.0.0
• SCO Unixware 7.1.3
• SCO Unixware 7.1.3up
• SCO Unixware 7.1.4
• SGI ProPack 3.0.0 SP6
• Trustix Secure Enterprise Linux 2.0.0
• Trustix Secure Linux 2.1.0
• Trustix Secure Linux 2.2.0
• Turbolinux Appliance Server 1.0.0 Hosting Edition
• Turbolinux Appliance Server 1.0.0 Workgroup Edition
• Turbolinux Appliance Server Hosting Edition 1.0.0
• Turbolinux Appliance Server Workgroup Edition 1.0.0
• Turbolinux Home
• Turbolinux Turbolinux 10 F...
• Turbolinux Turbolinux Desktop 10.0.0
• Turbolinux Turbolinux Server 7.0.0
• Turbolinux Turbolinux Server 8.0.0
• Turbolinux Turbolinux Workstation 7.0.0
• Turbolinux Turbolinux Workstation 8.0.0
• Ubuntu Ubuntu Linux 4.1.0 ia32
• Ubuntu Ubuntu Linux 4.1.0 ia64
• Ubuntu Ubuntu Linux 4.1.0 ppc
• Ubuntu Ubuntu Linux 5.0.0 4 amd64
• Ubuntu Ubuntu Linux 5.0.0 4 i386
• Ubuntu Ubuntu Linux 5.0.0 4 powerpc
• Ubuntu Ubuntu Linux 5.10.0 amd64
• Ubuntu Ubuntu Linux 5.10.0 i386
• Ubuntu Ubuntu Linux 5.10.0 powerpc

References:

• Avaya: ASA-2005-191 - cpio race condition - (SCOSA-2005.32)
• GNU: cpio Home Page
• RedHat: RHSA-2005:378-17 - Low: cpio security update
• RedHat: RHSA-2005:806-8 - cpio security update

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.