CVE-1999-1572 — cpio - broken file permissions

Description

cpio on FreeBSD 2.1.0, Debian GNU/Linux 3.0, and possibly other operating systems, uses a 0 umask when creating files using the -O (archive) or -F options, which creates the files with mode 0666 and allows local users to read or overwrite those files.

How to fix CVE-1999-1572

To remediate CVE-1999-1572, upgrade the affected package to a fixed version below.

Debian/cpio—upgrade to 2.5-1.2 or later
Debian/cpio—upgrade to 2.4.2-39woody1 or later

Is CVE-1999-1572 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2.5-1.2
from 0, < 2.4.2-39woody1

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-1999-1572