Dear cpio developers, We are security researchers at Columbia University and we were testing a bug-finding tool on cpio. We found a bug in version 2.12 of cpio on Ubuntu 16.04 due to inadequate directory permissions.
In Linux, when an extracted directory does not have execute permissions, then cpio is unable to extract its contents into it. But cpio_mkdir in src/util.c only checks if the write flag is missing, and only adds that flag to the directory's mode. The if condition, "!(file_hdr->c_mode & S_IWUSR)" should therefore be changed to "(file_hdr->c_mode & (S_IWUSR | S_IXUSR)) != (S_IWUSR | S_IXUSR)", and the flags in mkdir should be changed from "mode | S_IWUSR" to "mode | S_IWUSR | S_IXUSR". Thanks, Yuan Kang
