From ad9d4caf99c5f34895882da0343b8c441a237a02 Mon Sep 17 00:00:00 2001 From: ms Date: Mon, 19 Mar 2007 20:25:01 +0000 Subject: [PATCH] Ramdisk-Arbeit nahezu beendet. git-svn-id: http://svn.ipfire.org/svn/ipfire/trunk@451 ea5c0bd1-69bd-2848-81d8-4f18e57aeed8 --- config/kernel/kernel.config.i586 | 4 +- config/kernel/kernel.config.i586.smp | 2 +- config/rootfiles/common/cpio | 20 ++ config/rootfiles/common/util-linux | 4 +- doc/ChangeLog | 47 +++ doc/packages-list.txt | 1 + lfs/cpio | 84 +++++ make.sh | 1 + src/install+setup/install/main.c | 4 +- src/nash/mkinitrd | 17 +- src/patches/cpio-2.6-security_fixes-1.patch | 370 ++++++++++++++++++++ 11 files changed, 537 insertions(+), 17 deletions(-) create mode 100644 config/rootfiles/common/cpio create mode 100644 lfs/cpio create mode 100644 src/patches/cpio-2.6-security_fixes-1.patch diff --git a/config/kernel/kernel.config.i586 b/config/kernel/kernel.config.i586 index 2354e7e150..2313c8af4c 100644 --- a/config/kernel/kernel.config.i586 +++ b/config/kernel/kernel.config.i586 @@ -1,7 +1,7 @@ # # Automatically generated make config: don't edit # Linux kernel version: 2.6.16.42-ipfire -# Sun Mar 18 16:54:28 2007 +# Mon Mar 19 13:34:52 2007 # CONFIG_X86_32=y CONFIG_SEMAPHORE_SLEEPERS=y @@ -1740,7 +1740,7 @@ CONFIG_XFS_SECURITY=y CONFIG_XFS_POSIX_ACL=y CONFIG_XFS_RT=y # CONFIG_OCFS2_FS is not set -# CONFIG_MINIX_FS is not set +CONFIG_MINIX_FS=y # CONFIG_ROMFS_FS is not set CONFIG_INOTIFY=y # CONFIG_QUOTA is not set diff --git a/config/kernel/kernel.config.i586.smp b/config/kernel/kernel.config.i586.smp index 06391324a6..f520f007a7 100644 --- a/config/kernel/kernel.config.i586.smp +++ b/config/kernel/kernel.config.i586.smp @@ -1743,7 +1743,7 @@ CONFIG_XFS_SECURITY=y CONFIG_XFS_POSIX_ACL=y CONFIG_XFS_RT=y # CONFIG_OCFS2_FS is not set -# CONFIG_MINIX_FS is not set +CONFIG_MINIX_FS=y # CONFIG_ROMFS_FS is not set CONFIG_INOTIFY=y # CONFIG_QUOTA is not set diff --git a/config/rootfiles/common/cpio b/config/rootfiles/common/cpio new file mode 100644 index 0000000000..3f201c03e8 --- /dev/null +++ b/config/rootfiles/common/cpio @@ -0,0 +1,20 @@ +bin/cpio +bin/mt +#usr/info/cpio.info +#usr/man/man1/cpio.1 +#usr/man/man1/mt.1 +#usr/share/locale/da/LC_MESSAGES/cpio.mo +#usr/share/locale/de/LC_MESSAGES/cpio.mo +#usr/share/locale/es/LC_MESSAGES/cpio.mo +#usr/share/locale/fr/LC_MESSAGES/cpio.mo +#usr/share/locale/gl/LC_MESSAGES/cpio.mo +#usr/share/locale/hu/LC_MESSAGES/cpio.mo +#usr/share/locale/ko/LC_MESSAGES/cpio.mo +#usr/share/locale/nl/LC_MESSAGES/cpio.mo +#usr/share/locale/pl/LC_MESSAGES/cpio.mo +#usr/share/locale/pt_BR/LC_MESSAGES/cpio.mo +#usr/share/locale/ro/LC_MESSAGES/cpio.mo +#usr/share/locale/ru/LC_MESSAGES/cpio.mo +#usr/share/locale/sv/LC_MESSAGES/cpio.mo +#usr/share/locale/tr/LC_MESSAGES/cpio.mo +#usr/share/locale/zh_CN/LC_MESSAGES/cpio.mo diff --git a/config/rootfiles/common/util-linux b/config/rootfiles/common/util-linux index 8a13986af6..f0a2b2b4be 100644 --- a/config/rootfiles/common/util-linux +++ b/config/rootfiles/common/util-linux @@ -11,13 +11,13 @@ sbin/ctrlaltdel #sbin/elvtune sbin/fdisk #sbin/fsck.cramfs -#sbin/fsck.minix +sbin/fsck.minix sbin/hwclock sbin/losetup sbin/mkfs #sbin/mkfs.bfs #sbin/mkfs.cramfs -#sbin/mkfs.minix +sbin/mkfs.minix sbin/mkswap #sbin/pivot_root sbin/sfdisk diff --git a/doc/ChangeLog b/doc/ChangeLog index eb1c19e476..35fa10928f 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,3 +1,50 @@ +------------------------------------------------------------------------ +r450 | ms | 2007-03-18 22:34:35 +0100 (Sun, 18 Mar 2007) | 5 lines + +GD-Graph fuer Maniac eingebaut +Kernel laedt ab jetzt keine Module mehr ungefragt. +Nash aktualisiert um richtige Ramdisks zu erstellen (noch unstable). +pppsetup.cgi vom Maniac eingefuegt. + +------------------------------------------------------------------------ +r449 | ms | 2007-03-17 22:14:34 +0100 (Sat, 17 Mar 2007) | 4 lines + +Alten PCMCIA Code aus dem Installer entfernt. +Unattended Installation bearbeitet. +HTTP/FTP-Installation nun moeglich. + +------------------------------------------------------------------------ +r448 | ms | 2007-03-14 22:57:20 +0100 (Wed, 14 Mar 2007) | 2 lines + +Neue Hardwareerkennung im Installer... + +------------------------------------------------------------------------ +r447 | ms | 2007-03-11 21:34:32 +0100 (Sun, 11 Mar 2007) | 2 lines + +Firewall-Log-Analyzer by Christian Schmidt + +------------------------------------------------------------------------ +r446 | ms | 2007-03-11 21:20:29 +0100 (Sun, 11 Mar 2007) | 3 lines + +hwinfo in den Installer gebracht. +(Erstmal nur in das Image...) + +------------------------------------------------------------------------ +r445 | ms | 2007-03-11 21:09:05 +0100 (Sun, 11 Mar 2007) | 3 lines + +OpenSwan RC nach den Vorgaben von "affect" installiert. +Zurueck zu ReiserFS, da wir mit Reiser4 noch ein paar Probleme haben und wir die Prioritaeten noch auf andere Sachen legen muessen. :'( + +------------------------------------------------------------------------ +r444 | ms | 2007-03-07 20:09:28 +0100 (Wed, 07 Mar 2007) | 2 lines + +Tippfehler im RC Script + +------------------------------------------------------------------------ +r443 | ms | 2007-03-07 19:42:02 +0100 (Wed, 07 Mar 2007) | 2 lines + +HWInfo wieder eingefuegt, da mit kudzu zu viele Segmentation Faults liefert. + ------------------------------------------------------------------------ r442 | ms | 2007-03-05 14:15:21 +0100 (Mon, 05 Mar 2007) | 2 lines diff --git a/doc/packages-list.txt b/doc/packages-list.txt index 9ec6e6508f..11a128c9eb 100644 --- a/doc/packages-list.txt +++ b/doc/packages-list.txt @@ -51,6 +51,7 @@ * cftp-0.12 * clamav-0.90 * coreutils-5.96 +* cpio-2.6 * cups-1.2.2 * cyrus-imapd-2.2.12 * cyrus-sasl-2.1.21 diff --git a/lfs/cpio b/lfs/cpio new file mode 100644 index 0000000000..e5db0d1e0d --- /dev/null +++ b/lfs/cpio @@ -0,0 +1,84 @@ +############################################################################### +# This file is part of the IPCop Firewall. # +# # +# IPCop is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 2 of the License, or # +# (at your option) any later version. # +# # +# IPCop is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPCop; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Makefiles are based on LFSMake, which is # +# Copyright (C) 2002 Rod Roard # +# # +############################################################################### + +############################################################################### +# Definitions +############################################################################### + +include Config + +VER = 2.6 + +THISAPP = cpio-$(VER) +DL_FILE = $(THISAPP).tar.gz +DL_FROM = $(URL_IPFIRE) +DIR_APP = $(DIR_SRC)/$(THISAPP) +TARGET = $(DIR_INFO)/$(THISAPP) + +############################################################################### +# Top-level Rules +############################################################################### + +objects = $(DL_FILE) + +$(DL_FILE) = $(DL_FROM)/$(DL_FILE) + +$(DL_FILE)_MD5 = 76b4145f33df088a5bade3bf4373d17d + +install : $(TARGET) + +check : $(patsubst %,$(DIR_CHK)/%,$(objects)) + +download :$(patsubst %,$(DIR_DL)/%,$(objects)) + +md5 : $(subst %,%_MD5,$(objects)) + +############################################################################### +# Downloading, checking, md5sum +############################################################################### + +$(patsubst %,$(DIR_CHK)/%,$(objects)) : + @$(CHECK) + +$(patsubst %,$(DIR_DL)/%,$(objects)) : + @$(LOAD) + +$(subst %,%_MD5,$(objects)) : + @$(MD5) + +############################################################################### +# Installation Details +############################################################################### + +$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) + @$(PREBUILD) + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && sed -i "s/invalid_arg/argmatch_invalid/" src/mt.c + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/$(THISAPP)-security_fixes-1.patch + cd $(DIR_APP) && ./configure CPIO_MT_PROG=mt --prefix=/usr \ + --bindir=/bin --libexecdir=/tmp \ + --with-rmt=/usr/sbin/rmt + cd $(DIR_APP) && echo "#define HAVE_LSTAT 1" >> config.h + cd $(DIR_APP) && make $(MAKETUNING) + cd $(DIR_APP) && make install + @rm -rf $(DIR_APP) + @$(POSTBUILD) diff --git a/make.sh b/make.sh index 9a2aaf878a..58d7e24d69 100644 --- a/make.sh +++ b/make.sh @@ -348,6 +348,7 @@ buildipfire() { ipfiremake zaptel ipfiremake fuse ipfiremake pkg-config + ipfiremake cpio ipfiremake expat ipfiremake gdbm ipfiremake gmp diff --git a/src/install+setup/install/main.c b/src/install+setup/install/main.c index 9bd629dc10..3288a168e4 100644 --- a/src/install+setup/install/main.c +++ b/src/install+setup/install/main.c @@ -547,9 +547,9 @@ int main(int argc, char *argv[]) if (strlen(driver) > 1) { fprintf(flog, "Fixing up ipfirerd.img\n"); mkdir("/harddisk/initrd", S_IRWXU|S_IRWXG|S_IRWXO); - snprintf(commandstring, STRING_SIZE, "/sbin/chroot /harddisk /sbin/mkinitrd --with=scsi_mod %s --with=sd_mod --with=sr_mod /boot/ipfirerd.img %s-ipfire", driver, KERNEL_VERSION); + snprintf(commandstring, STRING_SIZE, "/sbin/chroot /harddisk /sbin/mkinitrd -v --with=scsi_mod %s --with=sd_mod --with=sr_mod /boot/ipfirerd.img %s-ipfire", driver, KERNEL_VERSION); runcommandwithstatus(commandstring, ctr[TR_BUILDING_INITRD]); - snprintf(commandstring, STRING_SIZE, "/sbin/chroot /harddisk /sbin/mkinitrd --with=scsi_mod %s --with=sd_mod --with=sr_mod /boot/ipfirerd-smp.img %s-ipfire-smp", driver, KERNEL_VERSION); + snprintf(commandstring, STRING_SIZE, "/sbin/chroot /harddisk /sbin/mkinitrd -v --with=scsi_mod %s --with=sd_mod --with=sr_mod /boot/ipfirerd-smp.img %s-ipfire-smp", driver, KERNEL_VERSION); runcommandwithstatus(commandstring, ctr[TR_BUILDING_INITRD]); mysystem("/sbin/chroot /harddisk /bin/mv /boot/grub/scsigrub.conf /boot/grub/grub.conf"); } diff --git a/src/nash/mkinitrd b/src/nash/mkinitrd index cbd99feb91..3c50c74f38 100644 --- a/src/nash/mkinitrd +++ b/src/nash/mkinitrd @@ -314,15 +314,15 @@ fi kernelmajor=`echo $kernel | cut -d . -f 1,2` -#if [ "$kernelmajor" == "2.4" ]; then +if [ "$kernelmajor" == "2.4" ]; then if [ -n "$verbose" ]; then echo "Creating old-style initrd"; fi USE_UDEV= -#else -# if [ -n "$verbose" ]; then echo "Creating initramfs"; fi -# modulefile=/etc/modprobe.conf -# initramfs=1 -# pivot="" -#fi +else + if [ -n "$verbose" ]; then echo "Creating initramfs"; fi + modulefile=/etc/modprobe.conf + initramfs=1 + pivot="" +fi # if we're not using udev, don't set any of the other bits [ -z "$USE_UDEV" ] && UDEV_TMPFS= && UDEV_KEEP_DEV= @@ -588,9 +588,6 @@ ln -s bin $MNTIMAGE/sbin inst /sbin/nash "$MNTIMAGE/bin/nash" inst /sbin/insmod.static "$MNTIMAGE/bin/insmod" -inst /bin/tar.static "$MNTIMAGE/bin/tar" -inst /usr/bin/lzmadec "$MNTIMAGE/bin/lzmadec" -inst /sbin/fsck.minix.static "$MNTIMAGE/bin/fsck.minix" ln -s /sbin/nash $MNTIMAGE/sbin/modprobe if [ -n "$USE_UDEV" ]; then diff --git a/src/patches/cpio-2.6-security_fixes-1.patch b/src/patches/cpio-2.6-security_fixes-1.patch new file mode 100644 index 0000000000..083c7858d4 --- /dev/null +++ b/src/patches/cpio-2.6-security_fixes-1.patch @@ -0,0 +1,370 @@ +Submitted By: Ken Moffat +Date: 2005-07-29 +Initial Package Version: 2.6 +Upstream Status: Unknown +Origin: from Mandrake +Description: Vulnerability fixes, rediffed so that they all apply with + -p1 and consolidated to single patch. Also applicable to earlier versions. +(1.) CAN-1999-1572 (still seems to apply to 2.6) cpio uses a 0 umask when +creating files with -O or -F options, which creates the files with mode 0666 +and allows local users to overwrite them. Fix originally fom debian. +(2.) CAN-2005-1111 Race condition in 2.6 and earlier allows local users to +modify permissions of arbitrary files via a hard-link attack. Fix +originally from fedora. +(3.) CAN-2005-1229 Directory traversal vulnerability allows remote +attackers to write to arbitrary directories via a dot dot in a cpio file. +Fix by Peter Vrabec at RedHat. + +diff -Naur cpio-2.6.vanilla/doc/cpio.1 cpio-2.6/doc/cpio.1 +--- cpio-2.6.vanilla/doc/cpio.1 2004-08-30 17:21:48.000000000 +0100 ++++ cpio-2.6/doc/cpio.1 2005-07-29 13:46:42.000000000 +0100 +@@ -20,7 +20,7 @@ + [\-\-unconditional] [\-\-verbose] [\-\-block-size=blocks] [\-\-swap-halfwords] + [\-\-io-size=bytes] [\-\-pattern-file=file] [\-\-format=format] + [\-\-owner=[user][:.][group]] [\-\-no-preserve-owner] [\-\-message=message] +-[\-\-force\-local] [\-\-no\-absolute\-filenames] [\-\-sparse] ++[\-\-force\-local] [\-\-absolute\-filenames] [\-\-sparse] + [\-\-only\-verify\-crc] [\-\-quiet] [\-\-rsh-command=command] [\-\-help] + [\-\-version] [pattern...] [< archive] + +diff -Naur cpio-2.6.vanilla/doc/cpio.info cpio-2.6/doc/cpio.info +--- cpio-2.6.vanilla/doc/cpio.info 2004-02-27 12:42:01.000000000 +0000 ++++ cpio-2.6/doc/cpio.info 2005-07-29 13:46:42.000000000 +0100 +@@ -203,7 +203,7 @@ + [--swap-halfwords] [--io-size=bytes] [--pattern-file=file] + [--format=format] [--owner=[user][:.][group]] + [--no-preserve-owner] [--message=message] [--help] [--version] +- [-no-absolute-filenames] [--sparse] [-only-verify-crc] [-quiet] ++ [--absolute-filenames] [--sparse] [-only-verify-crc] [-quiet] + [--rsh-command=command] [pattern...] [< archive] + +  +@@ -358,9 +358,9 @@ + Show numeric UID and GID instead of translating them into names + when using the `--verbose option'. + +-`--no-absolute-filenames' +- Create all files relative to the current directory in copy-in +- mode, even if they have an absolute file name in the archive. ++`--absolute-filenames' ++ Do not strip leading file name components that contain ".." ++ and leading slashes from file names in copy-in mode + + `--no-preserve-owner' + Do not change the ownership of the files; leave them owned by the +diff -Naur cpio-2.6.vanilla/src/copyin.c cpio-2.6/src/copyin.c +--- cpio-2.6.vanilla/src/copyin.c 2004-09-08 12:10:02.000000000 +0100 ++++ cpio-2.6/src/copyin.c 2005-07-29 13:46:42.000000000 +0100 +@@ -25,6 +25,7 @@ + #include "dstring.h" + #include "extern.h" + #include "defer.h" ++#include "dirname.h" + #include + #ifndef FNM_PATHNAME + #include +@@ -389,19 +390,26 @@ + continue; + } + +- if (close (out_file_des) < 0) +- error (0, errno, "%s", d->header.c_name); +- ++ /* ++ * Avoid race condition. ++ * Set chown and chmod before closing the file desc. ++ * pvrabec@redhat.com ++ */ ++ + /* File is now copied; set attributes. */ + if (!no_chown_flag) +- if ((chown (d->header.c_name, ++ if ((fchown (out_file_des, + set_owner_flag ? set_owner : d->header.c_uid, + set_group_flag ? set_group : d->header.c_gid) < 0) + && errno != EPERM) + error (0, errno, "%s", d->header.c_name); + /* chown may have turned off some permissions we wanted. */ +- if (chmod (d->header.c_name, (int) d->header.c_mode) < 0) ++ if (fchmod (out_file_des, (int) d->header.c_mode) < 0) + error (0, errno, "%s", d->header.c_name); ++ ++ if (close (out_file_des) < 0) ++ error (0, errno, "%s", d->header.c_name); ++ + if (retain_time_flag) + { + times.actime = times.modtime = d->header.c_mtime; +@@ -557,6 +565,25 @@ + write (out_file_des, "", 1); + delayed_seek_count = 0; + } ++ ++ /* ++ * Avoid race condition. ++ * Set chown and chmod before closing the file desc. ++ * pvrabec@redhat.com ++ */ ++ ++ /* File is now copied; set attributes. */ ++ if (!no_chown_flag) ++ if ((fchown (out_file_des, ++ set_owner_flag ? set_owner : file_hdr->c_uid, ++ set_group_flag ? set_group : file_hdr->c_gid) < 0) ++ && errno != EPERM) ++ error (0, errno, "%s", file_hdr->c_name); ++ ++ /* chown may have turned off some permissions we wanted. */ ++ if (fchmod (out_file_des, (int) file_hdr->c_mode) < 0) ++ error (0, errno, "%s", file_hdr->c_name); ++ + if (close (out_file_des) < 0) + error (0, errno, "%s", file_hdr->c_name); + +@@ -567,18 +594,6 @@ + file_hdr->c_name, crc, file_hdr->c_chksum); + } + +- /* File is now copied; set attributes. */ +- if (!no_chown_flag) +- if ((chown (file_hdr->c_name, +- set_owner_flag ? set_owner : file_hdr->c_uid, +- set_group_flag ? set_group : file_hdr->c_gid) < 0) +- && errno != EPERM) +- error (0, errno, "%s", file_hdr->c_name); +- +- /* chown may have turned off some permissions we wanted. */ +- if (chmod (file_hdr->c_name, (int) file_hdr->c_mode) < 0) +- error (0, errno, "%s", file_hdr->c_name); +- + if (retain_time_flag) + { + struct utimbuf times; /* For setting file times. */ +@@ -589,7 +604,7 @@ + if (utime (file_hdr->c_name, ×) < 0) + error (0, errno, "%s", file_hdr->c_name); + } +- ++ + tape_skip_padding (in_file_des, file_hdr->c_filesize); + if (file_hdr->c_nlink > 1 + && (archive_format == arf_newascii || archive_format == arf_crcascii) ) +@@ -1335,6 +1350,53 @@ + } + } + ++/* Return a safer suffix of FILE_NAME, or "." if it has no safer ++ suffix. Check for fully specified file names and other atrocities. */ ++ ++static const char * ++safer_name_suffix (char const *file_name) ++{ ++ char const *p; ++ ++ /* Skip file system prefixes, leading file name components that contain ++ "..", and leading slashes. */ ++ ++ size_t prefix_len = FILE_SYSTEM_PREFIX_LEN (file_name); ++ ++ for (p = file_name + prefix_len; *p;) ++ { ++ if (p[0] == '.' && p[1] == '.' && (ISSLASH (p[2]) || !p[2])) ++ prefix_len = p + 2 - file_name; ++ ++ do ++ { ++ char c = *p++; ++ if (ISSLASH (c)) ++ break; ++ } ++ while (*p); ++ } ++ ++ for (p = file_name + prefix_len; ISSLASH (*p); p++) ++ continue; ++ prefix_len = p - file_name; ++ ++ if (prefix_len) ++ { ++ char *prefix = alloca (prefix_len + 1); ++ memcpy (prefix, file_name, prefix_len); ++ prefix[prefix_len] = '\0'; ++ ++ ++ error (0, 0, _("Removing leading `%s' from member names"), prefix); ++ } ++ ++ if (!*p) ++ p = "."; ++ ++ return p; ++} ++ + /* Read the collection from standard input and create files + in the file system. */ + +@@ -1445,18 +1507,11 @@ + + /* Do we have to ignore absolute paths, and if so, does the filename + have an absolute path? */ +- if (no_abs_paths_flag && file_hdr.c_name && file_hdr.c_name [0] == '/') ++ if (!abs_paths_flag && file_hdr.c_name && file_hdr.c_name [0]) + { +- char *p; ++ const char *p = safer_name_suffix (file_hdr.c_name); + +- p = file_hdr.c_name; +- while (*p == '/') +- ++p; +- if (*p == '\0') +- { +- strcpy (file_hdr.c_name, "."); +- } +- else ++ if (p != file_hdr.c_name) + { + /* Debian hack: file_hrd.c_name is sometimes set to + point to static memory by code in tar.c. This +diff -Naur cpio-2.6.vanilla/src/copypass.c cpio-2.6/src/copypass.c +--- cpio-2.6.vanilla/src/copypass.c 2004-09-06 13:09:04.000000000 +0100 ++++ cpio-2.6/src/copypass.c 2005-07-29 13:46:07.000000000 +0100 +@@ -181,19 +181,25 @@ + } + if (close (in_file_des) < 0) + error (0, errno, "%s", input_name.ds_string); +- if (close (out_file_des) < 0) +- error (0, errno, "%s", output_name.ds_string); +- ++ /* ++ * Avoid race condition. ++ * Set chown and chmod before closing the file desc. ++ * pvrabec@redhat.com ++ */ + /* Set the attributes of the new file. */ + if (!no_chown_flag) +- if ((chown (output_name.ds_string, ++ if ((fchown (out_file_des, + set_owner_flag ? set_owner : in_file_stat.st_uid, + set_group_flag ? set_group : in_file_stat.st_gid) < 0) + && errno != EPERM) + error (0, errno, "%s", output_name.ds_string); + /* chown may have turned off some permissions we wanted. */ +- if (chmod (output_name.ds_string, in_file_stat.st_mode) < 0) ++ if (fchmod (out_file_des, in_file_stat.st_mode) < 0) ++ error (0, errno, "%s", output_name.ds_string); ++ ++ if (close (out_file_des) < 0) + error (0, errno, "%s", output_name.ds_string); ++ + if (reset_time_flag) + { + times.actime = in_file_stat.st_atime; +diff -Naur cpio-2.6.vanilla/src/extern.h cpio-2.6/src/extern.h +--- cpio-2.6.vanilla/src/extern.h 2004-09-08 11:49:57.000000000 +0100 ++++ cpio-2.6/src/extern.h 2005-07-29 13:47:34.000000000 +0100 +@@ -46,7 +46,7 @@ + extern int sparse_flag; + extern int quiet_flag; + extern int only_verify_crc_flag; +-extern int no_abs_paths_flag; ++extern int abs_paths_flag; + extern unsigned int warn_option; + + /* Values for warn_option */ +@@ -91,6 +91,7 @@ + extern char input_is_seekable; + extern char output_is_seekable; + extern char *program_name; ++extern mode_t sys_umask; + extern int (*xstat) (); + extern void (*copy_function) (); + +diff -Naur cpio-2.6.vanilla/src/global.c cpio-2.6/src/global.c +--- cpio-2.6.vanilla/src/global.c 2004-09-08 11:23:44.000000000 +0100 ++++ cpio-2.6/src/global.c 2005-07-29 13:47:34.000000000 +0100 +@@ -100,7 +100,7 @@ + int only_verify_crc_flag = false; + + /* If true, don't use any absolute paths, prefix them by `./'. */ +-int no_abs_paths_flag = false; ++int abs_paths_flag = false; + + #ifdef DEBUG_CPIO + /* If true, print debugging information. */ +@@ -195,6 +195,9 @@ + /* The name this program was run with. */ + char *program_name; + ++/* Debian hack to make the -d option honor the umask. */ ++mode_t sys_umask; ++ + /* A pointer to either lstat or stat, depending on whether + dereferencing of symlinks is done for input files. */ + int (*xstat) (); +diff -Naur cpio-2.6.vanilla/src/main.c cpio-2.6/src/main.c +--- cpio-2.6.vanilla/src/main.c 2004-11-23 00:42:18.000000000 +0000 ++++ cpio-2.6/src/main.c 2005-07-29 13:47:34.000000000 +0100 +@@ -41,6 +41,7 @@ + + enum cpio_options { + NO_ABSOLUTE_FILENAMES_OPTION=256, ++ ABSOLUTE_FILENAMES_OPTION, + NO_PRESERVE_OWNER_OPTION, + ONLY_VERIFY_CRC_OPTION, + RENAME_BATCH_FILE_OPTION, +@@ -134,6 +135,8 @@ + N_("In copy-in mode, read additional patterns specifying filenames to extract or list from FILE"), 210}, + {"no-absolute-filenames", NO_ABSOLUTE_FILENAMES_OPTION, 0, 0, + N_("Create all files relative to the current directory"), 210}, ++ {"absolute-filenames", ABSOLUTE_FILENAMES_OPTION, 0, 0, ++ N_("do not strip leading file name components that contain \"..\" and leading slashes from file names"), 210}, + {"only-verify-crc", ONLY_VERIFY_CRC_OPTION, 0, 0, + N_("When reading a CRC format archive in copy-in mode, only verify the CRC's of each file in the archive, don't actually extract the files"), 210}, + {"rename", 'r', 0, 0, +@@ -392,7 +395,11 @@ + break; + + case NO_ABSOLUTE_FILENAMES_OPTION: /* --no-absolute-filenames */ +- no_abs_paths_flag = true; ++ abs_paths_flag = false; ++ break; ++ ++ case ABSOLUTE_FILENAMES_OPTION: /* --absolute-filenames */ ++ abs_paths_flag = true; + break; + + case NO_PRESERVE_OWNER_OPTION: /* --no-preserve-owner */ +@@ -631,7 +638,7 @@ + _("--append is used but no archive file name is given (use -F or -O options"))); + + CHECK_USAGE(rename_batch_file, "--rename-batch-file", "--create"); +- CHECK_USAGE(no_abs_paths_flag, "--no-absolute-pathnames", "--create"); ++ CHECK_USAGE(abs_paths_flag, "--absolute-pathnames", "--create"); + CHECK_USAGE(input_archive_name, "-I", "--create"); + if (archive_name && output_archive_name) + USAGE_ERROR ((0, 0, _("Both -O and -F are used in copy-out mode"))); +@@ -658,7 +665,7 @@ + CHECK_USAGE(rename_flag, "--rename", "--pass-through"); + CHECK_USAGE(append_flag, "--append", "--pass-through"); + CHECK_USAGE(rename_batch_file, "--rename-batch-file", "--pass-through"); +- CHECK_USAGE(no_abs_paths_flag, "--no-absolute-pathnames", ++ CHECK_USAGE(abs_paths_flag, "--absolute-pathnames", + "--pass-through"); + CHECK_USAGE(to_stdout_option, "--to-stdout", "--pass-through"); + +@@ -740,7 +747,6 @@ + textdomain (PACKAGE); + + program_name = argv[0]; +- umask (0); + + #ifdef __TURBOC__ + _fmode = O_BINARY; /* Put stdin and stdout in binary mode. */ +@@ -751,6 +757,7 @@ + #endif + + process_args (argc, argv); ++ sys_umask = umask (0); + + initialize_buffers (); + -- 2.39.2