lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-id: <E1IxWC9-000401-O9@artemis.annvix.ca>
Date: Wed, 28 Nov 2007 16:19:53 -0700
From: security@...driva.com
To: bugtraq@...urityfocus.com
Subject: [ MDKSA-2007:233 ] - Updated cpio package fixes buffer overflow and
 directory traversal vulnerabilities


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________
 
 Mandriva Linux Security Advisory                         MDKSA-2007:233
 http://www.mandriva.com/security/
 _______________________________________________________________________
 
 Package : cpio
 Date    : November 28, 2007
 Affected: 2007.0, 2007.1, 2008.0, Corporate 3.0, Corporate 4.0,
           Multi Network Firewall 2.0
 _______________________________________________________________________
 
 Problem Description:
 
 Buffer overflow in the safer_name_suffix function in GNU cpio
 has unspecified attack vectors and impact, resulting in a crashing
 stack. This problem is originally found in tar, but affects cpio too,
 due to similar code fragments. (CVE-2007-4476)
 
 Directory traversal vulnerability in cpio 2.6 and earlier allows remote
 attackers to write to arbitrary directories via a .. (dot dot) in a
 cpio file. This is an old issue, affecting only Mandriva Corporate
 Server 4 and Mandriva Linux 2007. (CVE-2005-1229)
 
 Updated package fixes these issues.
 _______________________________________________________________________

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4476
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1229
 _______________________________________________________________________
 
 Updated Packages:
 
 Mandriva Linux 2007.0:
 88af30721a848b5fd4b3e26c5c055846  2007.0/i586/cpio-2.6-7.1mdv2007.0.i586.rpm 
 250697255ccc671ca2a01c2ba762aac6  2007.0/SRPMS/cpio-2.6-7.1mdv2007.0.src.rpm

 Mandriva Linux 2007.0/X86_64:
 fc1e32f7b528997237b392b1c1da9c3c  2007.0/x86_64/cpio-2.6-7.1mdv2007.0.x86_64.rpm 
 250697255ccc671ca2a01c2ba762aac6  2007.0/SRPMS/cpio-2.6-7.1mdv2007.0.src.rpm

 Mandriva Linux 2007.1:
 0814f474aa054b2b7fc92af6e1f5ba01  2007.1/i586/cpio-2.7-3.1mdv2007.1.i586.rpm 
 7292ed206fa271c377cbe72577b42a0d  2007.1/SRPMS/cpio-2.7-3.1mdv2007.1.src.rpm

 Mandriva Linux 2007.1/X86_64:
 851d9793b6f791817bc76b558f8fdd5b  2007.1/x86_64/cpio-2.7-3.1mdv2007.1.x86_64.rpm 
 7292ed206fa271c377cbe72577b42a0d  2007.1/SRPMS/cpio-2.7-3.1mdv2007.1.src.rpm

 Mandriva Linux 2008.0:
 a6747328c665be64979fee53f3878fdb  2008.0/i586/cpio-2.9-2.1mdv2008.0.i586.rpm 
 de436966331be58abba226049bff8edf  2008.0/SRPMS/cpio-2.9-2.1mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 953e95a47bb9a978aa1b98e1c7f56e65  2008.0/x86_64/cpio-2.9-2.1mdv2008.0.x86_64.rpm 
 de436966331be58abba226049bff8edf  2008.0/SRPMS/cpio-2.9-2.1mdv2008.0.src.rpm

 Corporate 3.0:
 4dfe1f2b387d396eca07927d65a77ce4  corporate/3.0/i586/cpio-2.5-4.4.C30mdk.i586.rpm 
 10e1e7fcb59c195b6f679b80e75fade0  corporate/3.0/SRPMS/cpio-2.5-4.4.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 dc91afd2f8c7b93a95b898cc9a98182a  corporate/3.0/x86_64/cpio-2.5-4.4.C30mdk.x86_64.rpm 
 10e1e7fcb59c195b6f679b80e75fade0  corporate/3.0/SRPMS/cpio-2.5-4.4.C30mdk.src.rpm

 Corporate 4.0:
 79936c67409d3889d7988fecfde649b5  corporate/4.0/i586/cpio-2.6-5.1.20060mlcs4.i586.rpm 
 593f22ed1a261614a1f0d45932b6c441  corporate/4.0/SRPMS/cpio-2.6-5.1.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 a32dd1c2fcb89b32dacd9c7f5d56acd7  corporate/4.0/x86_64/cpio-2.6-5.1.20060mlcs4.x86_64.rpm 
 593f22ed1a261614a1f0d45932b6c441  corporate/4.0/SRPMS/cpio-2.6-5.1.20060mlcs4.src.rpm

 Multi Network Firewall 2.0:
 3abab72dae445f67c65d58f975f8816c  mnf/2.0/i586/cpio-2.5-4.4.M20mdk.i586.rpm 
 2a1e733d240e05b2771c135ebcbca4d4  mnf/2.0/SRPMS/cpio-2.5-4.4.M20mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFHTfdRmqjQ0CJFipgRAiBcAJ9lW2Xb2u2NBqtF/Gfl90DlD3yXLgCg1atN
gTm4NWlU7BE5H/nvQQzHhgU=
=Fg/j
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ