From b4d8ec44b97a9207a0f16abfd0b408ed9d2b346c Mon Sep 17 00:00:00 2001
From: Ondrej Dubaj <odubaj@redhat.com>
Date: Feb 18 2021 11:42:49 +0000
Subject: Properly drop priviledges for remote command


Resolves: #1927257

---

diff --git a/cpio-2.13-reset-gid-uid.patch b/cpio-2.13-reset-gid-uid.patch
new file mode 100644
index 0000000..56f720d
--- /dev/null
+++ b/cpio-2.13-reset-gid-uid.patch
@@ -0,0 +1,63 @@
+From 5913893d6f3de65b16e1ad294b88893305efb20f Mon Sep 17 00:00:00 2001
+From: Ondrej Dubaj <odubaj@redhat.com>
+Date: Thu, 18 Feb 2021 09:59:31 +0100
+Subject: [PATCH] * lib/system.h (ERRNO_IS_EACCES): Remove.  Not used anymore.
+ (sys_reset_uid_gid): Re-initialize supplementary groups when switching
+ privileges. Fix ordering of setgid and setuid calls.
+
+---
+ lib/system.h | 32 +++++++++++++++++++++++++-------
+ 1 file changed, 25 insertions(+), 7 deletions(-)
+
+diff --git a/lib/system.h b/lib/system.h
+index 1c1a5d0..4fd3ce9 100644
+--- a/lib/system.h
++++ b/lib/system.h
+@@ -470,19 +470,37 @@ char *getenv ();
+ #if MSDOS
+ # include <process.h>
+ # define SET_BINARY_MODE(arc) setmode(arc, O_BINARY)
+-# define ERRNO_IS_EACCES errno == EACCES
+ # define mkdir(file, mode) (mkdir) (file)
+ # define TTY_NAME "con"
+ # define sys_reset_uid_gid()
+ #else
+ # define SET_BINARY_MODE(arc)
+-# define ERRNO_IS_EACCES 0
+ # define TTY_NAME "/dev/tty"
+-# define sys_reset_uid_gid()					\
+-  do {								\
+-    if (! (setuid (getuid ()) == 0 && setgid (getgid ()) == 0)) \
+-      abort ();							\
+-  } while (0)
++# include <paxlib.h>
++static inline void
++sys_reset_uid_gid (void)
++{
++  struct passwd *pw;
++  uid_t uid = getuid ();
++  gid_t gid = getgid ();
++  
++  if ((pw = getpwuid (uid)) == NULL)
++    {
++      FATAL_ERROR ((0, errno, "%s(%lu)", "getpwuid", (unsigned long)uid));
++    }
++  if (initgroups (pw->pw_name, getgid ()))
++    {
++      FATAL_ERROR ((0, errno, "%s", "initgroups"));
++    }
++  if (gid != getegid () && setgid (gid) && errno != EPERM)
++    {
++      FATAL_ERROR ((0, errno, "%s", "setgid"));
++    }
++  if (uid != geteuid () && setuid (uid) && errno != EPERM)
++    {
++      FATAL_ERROR ((0, errno, "%s", "setuid"));
++    }
++}
+ #endif
+ 
+ #if XENIX
+-- 
+2.26.0
+
diff --git a/cpio.spec b/cpio.spec
index 9cf2719..b7b2759 100644
--- a/cpio.spec
+++ b/cpio.spec
@@ -1,7 +1,7 @@
 Summary: A GNU archiving program
 Name: cpio
 Version: 2.13
-Release: 9%{?dist}
+Release: 10%{?dist}
 License: GPLv3+
 URL: https://www.gnu.org/software/cpio/
 Source: https://ftp.gnu.org/gnu/cpio/cpio-%{version}.tar.bz2
@@ -48,6 +48,10 @@ Patch10: cpio-2.13-revert-CVE-2015-1197-fix.patch
 # https://www.mail-archive.com/bug-cpio@gnu.org/msg00605.html
 Patch11: cpio-2.11-retain-symlink-times.patch
 
+# Properly drop priviledges for remote command
+# http://git.savannah.gnu.org/cgit/paxutils.git/commit/?id=d247e3c2809a37b6d0c3067251d96bb7f12555e7
+Patch12: cpio-2.13-reset-gid-uid.patch
+
 Provides: bundled(gnulib)
 Provides: bundled(paxutils)
 Provides: /bin/cpio
@@ -109,6 +113,9 @@ make check || {
 %{_infodir}/*.info*
 
 %changelog
+* Thu Feb 18 2021 Ondrej Dubaj <odubaj@redhat.com> - 2.13-10
+- Properly drop priviledges for remote command
+
 * Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.13-9
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild