Home page logo
/

bugtraq logo Bugtraq mailing list archives

MDKSA-2005:116 - Updated cpio packages fix vulnerabilities
From: Mandriva Security Team <security () mandriva com>
Date: Mon, 11 Jul 2005 20:35:53 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

                Mandriva Linux Security Update Advisory
 _______________________________________________________________________

 Package name:           cpio
 Advisory ID:            MDKSA-2005:116
 Date:                   July 11th, 2005

 Affected versions:      10.0, 10.1, 10.2, Corporate 3.0,
                         Corporate Server 2.1
 ______________________________________________________________________

 Problem Description:

 A race condition has been found in cpio 2.6 and earlier which allows local 
 users to modify permissions of arbitrary files via a hard link attack on 
 a file while it is being decompressed, whose permissions are changed by 
 cpio after the decompression is complete. (CAN-2005-1111)
 
 A vulnerability has been discovered in cpio that allows a malicious cpio 
 file to extract to an arbitrary directory of the attackers choice. 
 Cpio will extract to the path specified in the cpio file, this path can be
 absolute. (CAN-2005-1229)
 
 The updated packages have been patched to address both of these issues.
 _______________________________________________________________________

 References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1111
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1229
 ______________________________________________________________________

 Updated Packages:
  
 Mandrakelinux 10.0:
 5e09657806ea7779182c7e5a49c22be8  10.0/RPMS/cpio-2.5-4.2.100mdk.i586.rpm
 407b3cef16e5d7153c3af0a685df7109  10.0/SRPMS/cpio-2.5-4.2.100mdk.src.rpm

 Mandrakelinux 10.0/AMD64:
 4a1947f3c7fc27f0b6cc0d9bdf97cfd8  amd64/10.0/RPMS/cpio-2.5-4.2.100mdk.amd64.rpm
 407b3cef16e5d7153c3af0a685df7109  amd64/10.0/SRPMS/cpio-2.5-4.2.100mdk.src.rpm

 Mandrakelinux 10.1:
 c808f5a1689a006e9049e1d8a37ede70  10.1/RPMS/cpio-2.5-4.3.101mdk.i586.rpm
 907e5f404afe7cdd649f8aeaa8444914  10.1/SRPMS/cpio-2.5-4.3.101mdk.src.rpm

 Mandrakelinux 10.1/X86_64:
 71ab78c534f9552ad081c625e92afb45  x86_64/10.1/RPMS/cpio-2.5-4.3.101mdk.x86_64.rpm
 907e5f404afe7cdd649f8aeaa8444914  x86_64/10.1/SRPMS/cpio-2.5-4.3.101mdk.src.rpm

 Mandrakelinux 10.2:
 9db16a5fa7bfc85aa7bb2d199ab5d825  10.2/RPMS/cpio-2.6-3.1.102mdk.i586.rpm
 131667db822df5a4cec71e24cdc51b69  10.2/SRPMS/cpio-2.6-3.1.102mdk.src.rpm

 Mandrakelinux 10.2/X86_64:
 4d5b31e9bdd5d1c81fc61ec3a863f7ff  x86_64/10.2/RPMS/cpio-2.6-3.1.102mdk.x86_64.rpm
 131667db822df5a4cec71e24cdc51b69  x86_64/10.2/SRPMS/cpio-2.6-3.1.102mdk.src.rpm

 Corporate Server 2.1:
 fe2a5bdd208f9ce6fcf87b90a87dbbdf  corporate/2.1/RPMS/cpio-2.5-4.2.C21mdk.i586.rpm
 950d0f7e96d109e965fb9d6d8f500813  corporate/2.1/SRPMS/cpio-2.5-4.2.C21mdk.src.rpm

 Corporate Server 2.1/X86_64:
 826500d3531ce8aff99afaf97eb8a8a7  x86_64/corporate/2.1/RPMS/cpio-2.5-4.2.C21mdk.x86_64.rpm
 950d0f7e96d109e965fb9d6d8f500813  x86_64/corporate/2.1/SRPMS/cpio-2.5-4.2.C21mdk.src.rpm

 Corporate 3.0:
 44667c0001e9da72f56c109f9f451c22  corporate/3.0/RPMS/cpio-2.5-4.2.C30mdk.i586.rpm
 a7beddf04ef0e065dad9af2387393c22  corporate/3.0/SRPMS/cpio-2.5-4.2.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 94803dd8ac6d1a1fc5436c04f097b4a1  x86_64/corporate/3.0/RPMS/cpio-2.5-4.2.C30mdk.x86_64.rpm
 a7beddf04ef0e065dad9af2387393c22  x86_64/corporate/3.0/SRPMS/cpio-2.5-4.2.C30mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrakeUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFC0yyJmqjQ0CJFipgRAoYkAJ9MY1g/YCtZLFFImxllc/04s9t/qgCgjOx0
Nz3fEb5LkdiVSEy+GpgMZIg=
=yysM
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
  • MDKSA-2005:116 - Updated cpio packages fix vulnerabilities Mandriva Security Team (Jul 12)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]