User: Password:
|
|
Subscribe / Log in / New account

Mandriva alert MDKSA-2005:116-1 (cpio)

From:  Mandriva Security Team <security@mandriva.com>
To:  security-announce@mandrivalinux.org
Subject:  [Security Announce] MDKSA-2005:116-1 - Updated cpio packages fix vulnerabilities
Date:  Tue, 19 Jul 2005 19:33:44 -0600

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Update Advisory _______________________________________________________________________ Package name: cpio Advisory ID: MDKSA-2005:116-1 Date: July 19th, 2005 Original Advisory Date: July 11th, 2005 Affected versions: 10.0, 10.1, 10.2, Corporate 3.0, Corporate Server 2.1, Multi Network Firewall 2.0 ______________________________________________________________________ Problem Description: A race condition has been found in cpio 2.6 and earlier which allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by cpio after the decompression is complete (CAN-2005-1111). A vulnerability has been discovered in cpio that allows a malicious cpio file to extract to an arbitrary directory of the attackers choice. cpio will extract to the path specified in the cpio file, this path can be absolute (CAN-2005-1229). Update: The previous packages had a problem upgrading due to an unresolved issue with tar and rmt. These packages correct the problem. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1111 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1229 ______________________________________________________________________ Updated Packages: Mandrakelinux 10.0: 5e09657806ea7779182c7e5a49c22be8 10.0/RPMS/cpio-2.5-4.2.100mdk.i586.rpm 407b3cef16e5d7153c3af0a685df7109 10.0/SRPMS/cpio-2.5-4.2.100mdk.src.rpm Mandrakelinux 10.0/AMD64: 4a1947f3c7fc27f0b6cc0d9bdf97cfd8 amd64/10.0/RPMS/cpio-2.5-4.2.100mdk.amd64.rpm 407b3cef16e5d7153c3af0a685df7109 amd64/10.0/SRPMS/cpio-2.5-4.2.100mdk.src.rpm Mandrakelinux 10.1: c808f5a1689a006e9049e1d8a37ede70 10.1/RPMS/cpio-2.5-4.3.101mdk.i586.rpm 907e5f404afe7cdd649f8aeaa8444914 10.1/SRPMS/cpio-2.5-4.3.101mdk.src.rpm Mandrakelinux 10.1/X86_64: 71ab78c534f9552ad081c625e92afb45 x86_64/10.1/RPMS/cpio-2.5-4.3.101mdk.x86_64.rpm 907e5f404afe7cdd649f8aeaa8444914 x86_64/10.1/SRPMS/cpio-2.5-4.3.101mdk.src.rpm Mandrakelinux 10.2: 9db16a5fa7bfc85aa7bb2d199ab5d825 10.2/RPMS/cpio-2.6-3.1.102mdk.i586.rpm 131667db822df5a4cec71e24cdc51b69 10.2/SRPMS/cpio-2.6-3.1.102mdk.src.rpm Mandrakelinux 10.2/X86_64: 4d5b31e9bdd5d1c81fc61ec3a863f7ff x86_64/10.2/RPMS/cpio-2.6-3.1.102mdk.x86_64.rpm 131667db822df5a4cec71e24cdc51b69 x86_64/10.2/SRPMS/cpio-2.6-3.1.102mdk.src.rpm Multi Network Firewall 2.0: 25c062c9ad406ac7f68f9339d4c5694a mnf/2.0/RPMS/cpio-2.5-4.2.M20mdk.i586.rpm 06317e96fc89042c8869f1d2a5030705 mnf/2.0/SRPMS/cpio-2.5-4.2.M20mdk.src.rpm Corporate Server 2.1: fe2a5bdd208f9ce6fcf87b90a87dbbdf corporate/2.1/RPMS/cpio-2.5-4.2.C21mdk.i586.rpm 950d0f7e96d109e965fb9d6d8f500813 corporate/2.1/SRPMS/cpio-2.5-4.2.C21mdk.src.rpm Corporate Server 2.1/X86_64: 826500d3531ce8aff99afaf97eb8a8a7 x86_64/corporate/2.1/RPMS/cpio-2.5-4.2.C21mdk.x86_64.rpm 950d0f7e96d109e965fb9d6d8f500813 x86_64/corporate/2.1/SRPMS/cpio-2.5-4.2.C21mdk.src.rpm Corporate 3.0: 44667c0001e9da72f56c109f9f451c22 corporate/3.0/RPMS/cpio-2.5-4.2.C30mdk.i586.rpm a7beddf04ef0e065dad9af2387393c22 corporate/3.0/SRPMS/cpio-2.5-4.2.C30mdk.src.rpm Corporate 3.0/X86_64: 94803dd8ac6d1a1fc5436c04f097b4a1 x86_64/corporate/3.0/RPMS/cpio-2.5-4.2.C30mdk.x86_64.rpm a7beddf04ef0e065dad9af2387393c22 x86_64/corporate/3.0/SRPMS/cpio-2.5-4.2.C30mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFC3an4mqjQ0CJFipgRAtTSAKDmYcYDv41kYLHShC90ME0uLgozqgCgq2dq 2kA1WxNrxfbrcQLqvvnZJ1s= =UNP2 -----END PGP SIGNATURE----- To unsubscribe, send a email to sympa@mandrivalinux.org with this subject : unsubscribe security-announce _______________________________________________________ Want to buy your Pack or Services from Mandriva? Go to http://www.mandrivastore.com Join the Club : http://www.mandrivaclub.com _______________________________________________________


(Log in to post comments)


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds