Login
Newsletter
Werbung

Sicherheit: Zwei Probleme in cpio
Aktuelle Meldungen Distributionen
Name: Zwei Probleme in cpio
ID: MDKSA-2007:233
Distribution: Mandriva
Plattformen: Mandriva Corporate 3.0, Mandriva Multi Network Firewall 2.0, Mandriva Corporate 4.0, Mandriva 2007.0, Mandriva 2007.1, Mandriva 2008.0
Datum: Do, 29. November 2007, 00:22
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1229
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4476
Applikationen: GNU cpio

Originalnachricht

This is a multi-part message in MIME format...

------------=_1196292146-4794-5309


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDKSA-2007:233
http://www.mandriva.com/security/
_______________________________________________________________________

Package : cpio
Date : November 28, 2007
Affected: 2007.0, 2007.1, 2008.0, Corporate 3.0, Corporate 4.0,
Multi Network Firewall 2.0
_______________________________________________________________________

Problem Description:

Buffer overflow in the safer_name_suffix function in GNU cpio
has unspecified attack vectors and impact, resulting in a crashing
stack. This problem is originally found in tar, but affects cpio too,
due to similar code fragments. (CVE-2007-4476)

Directory traversal vulnerability in cpio 2.6 and earlier allows remote
attackers to write to arbitrary directories via a .. (dot dot) in a
cpio file. This is an old issue, affecting only Mandriva Corporate
Server 4 and Mandriva Linux 2007. (CVE-2005-1229)

Updated package fixes these issues.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4476
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1229
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2007.0:
88af30721a848b5fd4b3e26c5c055846 2007.0/i586/cpio-2.6-7.1mdv2007.0.i586.rpm
250697255ccc671ca2a01c2ba762aac6 2007.0/SRPMS/cpio-2.6-7.1mdv2007.0.src.rpm

Mandriva Linux 2007.0/X86_64:
fc1e32f7b528997237b392b1c1da9c3c
2007.0/x86_64/cpio-2.6-7.1mdv2007.0.x86_64.rpm
250697255ccc671ca2a01c2ba762aac6 2007.0/SRPMS/cpio-2.6-7.1mdv2007.0.src.rpm

Mandriva Linux 2007.1:
0814f474aa054b2b7fc92af6e1f5ba01 2007.1/i586/cpio-2.7-3.1mdv2007.1.i586.rpm
7292ed206fa271c377cbe72577b42a0d 2007.1/SRPMS/cpio-2.7-3.1mdv2007.1.src.rpm

Mandriva Linux 2007.1/X86_64:
851d9793b6f791817bc76b558f8fdd5b
2007.1/x86_64/cpio-2.7-3.1mdv2007.1.x86_64.rpm
7292ed206fa271c377cbe72577b42a0d 2007.1/SRPMS/cpio-2.7-3.1mdv2007.1.src.rpm

Mandriva Linux 2008.0:
a6747328c665be64979fee53f3878fdb 2008.0/i586/cpio-2.9-2.1mdv2008.0.i586.rpm
de436966331be58abba226049bff8edf 2008.0/SRPMS/cpio-2.9-2.1mdv2008.0.src.rpm

Mandriva Linux 2008.0/X86_64:
953e95a47bb9a978aa1b98e1c7f56e65
2008.0/x86_64/cpio-2.9-2.1mdv2008.0.x86_64.rpm
de436966331be58abba226049bff8edf 2008.0/SRPMS/cpio-2.9-2.1mdv2008.0.src.rpm

Corporate 3.0:
4dfe1f2b387d396eca07927d65a77ce4
corporate/3.0/i586/cpio-2.5-4.4.C30mdk.i586.rpm
10e1e7fcb59c195b6f679b80e75fade0
corporate/3.0/SRPMS/cpio-2.5-4.4.C30mdk.src.rpm

Corporate 3.0/X86_64:
dc91afd2f8c7b93a95b898cc9a98182a
corporate/3.0/x86_64/cpio-2.5-4.4.C30mdk.x86_64.rpm
10e1e7fcb59c195b6f679b80e75fade0
corporate/3.0/SRPMS/cpio-2.5-4.4.C30mdk.src.rpm

Corporate 4.0:
79936c67409d3889d7988fecfde649b5
corporate/4.0/i586/cpio-2.6-5.1.20060mlcs4.i586.rpm
593f22ed1a261614a1f0d45932b6c441
corporate/4.0/SRPMS/cpio-2.6-5.1.20060mlcs4.src.rpm

Corporate 4.0/X86_64:
a32dd1c2fcb89b32dacd9c7f5d56acd7
corporate/4.0/x86_64/cpio-2.6-5.1.20060mlcs4.x86_64.rpm
593f22ed1a261614a1f0d45932b6c441
corporate/4.0/SRPMS/cpio-2.6-5.1.20060mlcs4.src.rpm

Multi Network Firewall 2.0:
3abab72dae445f67c65d58f975f8816c mnf/2.0/i586/cpio-2.5-4.4.M20mdk.i586.rpm
2a1e733d240e05b2771c135ebcbca4d4 mnf/2.0/SRPMS/cpio-2.5-4.4.M20mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFHTfdRmqjQ0CJFipgRAiBcAJ9lW2Xb2u2NBqtF/Gfl90DlD3yXLgCg1atN
gTm4NWlU7BE5H/nvQQzHhgU=
=Fg/j
-----END PGP SIGNATURE-----


------------=_1196292146-4794-5309
Content-Type: text/plain; name="message-footer.txt"
Content-Disposition: inline; filename="message-footer.txt"
Content-Transfer-Encoding: 8bit

To unsubscribe, send a email to sympa@mandrivalinux.org
with this subject : unsubscribe security-announce
_______________________________________________________
Want to buy your Pack or Services from Mandriva?
Go to http://www.mandrivastore.com
Join the Club : http://www.mandrivaclub.com
_______________________________________________________

------------=_1196292146-4794-5309--
Pro-Linux
Gewinnspiel
Neue Nachrichten
Werbung