CVE-1999-1572 in Red Hat
Summary
by MITRE
cpio on FreeBSD 2.1.0, Debian GNU/Linux 3.0, and possibly other operating systems, uses a 0 umask when creating files using the -O (archive) or -F options, which creates the files with mode 0666 and allows local users to read or overwrite those files.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/16/2026
The vulnerability described in CVE-1999-1572 represents a significant security flaw in the cpio utility across multiple operating systems including FreeBSD 2.1.0 and Debian GNU/Linux 3.0. This issue stems from the cpio command's improper handling of file permissions during archive creation operations, specifically when using the -O (archive) or -F (file) options. The root cause lies in the utility's implementation where it employs a null umask value of 0, which fundamentally undermines the expected security model for file creation processes.
The technical flaw manifests when cpio creates archive files or operates on existing files using the specified options. With a umask of 0, the utility creates files with default permissions set to 0666, which grants read and write access to all users on the system. This permission model creates a dangerous situation where any local user can potentially read sensitive data that was intended to be protected or overwrite files that should remain secure. The vulnerability directly violates the principle of least privilege and creates an attack surface that allows unauthorized access to potentially confidential information.
This vulnerability has substantial operational impact on systems running affected versions of cpio. Local users can exploit this flaw to gain unauthorized access to files that were created or modified through cpio operations, potentially leading to data breaches, information disclosure, or even system compromise through file overwrites. The issue affects systems where cpio is used for backup operations, file transfers, or system maintenance tasks, making it particularly dangerous in environments where sensitive data is frequently archived or manipulated. The widespread nature of this vulnerability across multiple operating systems amplifies its potential impact.
The vulnerability maps to CWE-276, which specifically addresses incorrect permissions for critical resources, and aligns with ATT&CK technique T1005 for data from local system. Effective mitigation strategies include updating to patched versions of cpio where the utility properly implements umask handling, configuring systems to use non-zero umask values, and implementing proper access controls for files created by cpio operations. Administrators should also consider implementing monitoring for unusual file creation patterns and ensuring that system updates are applied promptly to address such foundational security issues. The remediation process should include comprehensive testing of cpio operations to verify that proper permission handling is restored and that no existing files have been compromised through the vulnerability.