lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <E1Nu4k4-00055I-Jl@titan.mandriva.com>
Date: Tue, 23 Mar 2010 15:06:00 +0100
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2010:065 ] cpio


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2010:065
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : cpio
 Date    : March 23, 2010
 Affected: 2008.0, 2009.0, 2009.1, 2010.0, Corporate 4.0,
           Enterprise Server 5.0, Multi Network Firewall 2.0
 _______________________________________________________________________

 Problem Description:

 A vulnerability has been found and corrected in cpio and tar:
 
 Heap-based buffer overflow in the rmt_read__ function in lib/rtapelib.c
 in the rmt client functionality in GNU tar before 1.23 and GNU cpio
 before 2.11 allows remote rmt servers to cause a denial of service
 (memory corruption) or possibly execute arbitrary code by sending more
 data than was requested, related to archive filenames that contain a :
 (colon) character (CVE-2010-0624).
 
 The Tar package as shipped with Mandriva Linux is not affected
 by this vulnerability, but it was patched nonetheless in order to
 provide additional security to customers who recompile the package
 while having the rsh package installed.
 
 Packages for 2008.0 are provided for Corporate Desktop 2008.0
 customers.
 
 The updated packages have been patched to correct this issue.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0624
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2008.0:
 56cdfb4e12affc6594049570fb8d35ce  2008.0/i586/cpio-2.9-2.2mdv2008.0.i586.rpm
 705c2df54a9920908909423da574b32d  2008.0/i586/tar-1.18-1.2mdv2008.0.i586.rpm 
 596789a93702aecd07562281c9d48f78  2008.0/SRPMS/cpio-2.9-2.2mdv2008.0.src.rpm
 b1a645b471280fa0e51c38aedfa504aa  2008.0/SRPMS/tar-1.18-1.2mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 d7eaf79ca34d67b5f152372813254cb1  2008.0/x86_64/cpio-2.9-2.2mdv2008.0.x86_64.rpm
 2c97f01252660e80b9d00b7ebd7815e5  2008.0/x86_64/tar-1.18-1.2mdv2008.0.x86_64.rpm 
 596789a93702aecd07562281c9d48f78  2008.0/SRPMS/cpio-2.9-2.2mdv2008.0.src.rpm
 b1a645b471280fa0e51c38aedfa504aa  2008.0/SRPMS/tar-1.18-1.2mdv2008.0.src.rpm

 Mandriva Linux 2009.0:
 a3058108cddda8dde95b20b9be7d2aae  2009.0/i586/cpio-2.9-5.1mdv2009.0.i586.rpm
 8af041a2f14d3ea6761eb1ec77fa4964  2009.0/i586/tar-1.20-7.1mdv2009.0.i586.rpm 
 93f6cecaa13c9b3495721592305e1339  2009.0/SRPMS/cpio-2.9-5.1mdv2009.0.src.rpm
 a755272047ac5cb179a5c294057154cd  2009.0/SRPMS/tar-1.20-7.1mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 ab93a4d266e37076e233aa2367a8c478  2009.0/x86_64/cpio-2.9-5.1mdv2009.0.x86_64.rpm
 67ed3f23bcc8a8b633cbd8c8d7b9516b  2009.0/x86_64/tar-1.20-7.1mdv2009.0.x86_64.rpm 
 93f6cecaa13c9b3495721592305e1339  2009.0/SRPMS/cpio-2.9-5.1mdv2009.0.src.rpm
 a755272047ac5cb179a5c294057154cd  2009.0/SRPMS/tar-1.20-7.1mdv2009.0.src.rpm

 Mandriva Linux 2009.1:
 2d0eeca73eb44a8c7e41c50fd4c20add  2009.1/i586/cpio-2.9-6.1mdv2009.1.i586.rpm
 3cff4bb92b1ca2e074e1382f555bf7bc  2009.1/i586/tar-1.21-2.1mdv2009.1.i586.rpm 
 b5be5792c0e7e755554eae6c373a40dd  2009.1/SRPMS/cpio-2.9-6.1mdv2009.1.src.rpm
 a5ed5628ea098b1687cd432aff6adb38  2009.1/SRPMS/tar-1.21-2.1mdv2009.1.src.rpm

 Mandriva Linux 2009.1/X86_64:
 d15356d257890237b4176c3206f03b4d  2009.1/x86_64/cpio-2.9-6.1mdv2009.1.x86_64.rpm
 edd4211deb588b7b649606e8585bd15a  2009.1/x86_64/tar-1.21-2.1mdv2009.1.x86_64.rpm 
 b5be5792c0e7e755554eae6c373a40dd  2009.1/SRPMS/cpio-2.9-6.1mdv2009.1.src.rpm
 a5ed5628ea098b1687cd432aff6adb38  2009.1/SRPMS/tar-1.21-2.1mdv2009.1.src.rpm

 Mandriva Linux 2010.0:
 bbe43728f9f8db2ceabba5dcb375e4a7  2010.0/i586/cpio-2.10-1.1mdv2010.0.i586.rpm
 d5f150a07bf5fb6e6918b49f80742031  2010.0/i586/tar-1.22-2.1mdv2010.0.i586.rpm 
 f3379cc3d9787bda215d08dd56d33e3c  2010.0/SRPMS/cpio-2.10-1.1mdv2010.0.src.rpm
 d6f6ed62e6c1cc2bf1761408427ff0a1  2010.0/SRPMS/tar-1.22-2.1mdv2010.0.src.rpm

 Mandriva Linux 2010.0/X86_64:
 9bbaba5025e46793b44503684fe963a3  2010.0/x86_64/cpio-2.10-1.1mdv2010.0.x86_64.rpm
 965f38e0f6d386e02d6a174f84871dd9  2010.0/x86_64/tar-1.22-2.1mdv2010.0.x86_64.rpm 
 f3379cc3d9787bda215d08dd56d33e3c  2010.0/SRPMS/cpio-2.10-1.1mdv2010.0.src.rpm
 d6f6ed62e6c1cc2bf1761408427ff0a1  2010.0/SRPMS/tar-1.22-2.1mdv2010.0.src.rpm

 Corporate 4.0:
 f614d9c66ae80c195bff9126e1755284  corporate/4.0/i586/cpio-2.6-5.2.20060mlcs4.i586.rpm
 2ab8ec94b6e698122a2965bc942f4507  corporate/4.0/i586/tar-1.15.1-5.5.20060mlcs4.i586.rpm 
 3ea902eef3045f53fc5731cd7d2ae9bd  corporate/4.0/SRPMS/cpio-2.6-5.2.20060mlcs4.src.rpm
 c4eb72165f7f6e82b8fa1e61f03ae8d8  corporate/4.0/SRPMS/tar-1.15.1-5.5.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 459a97a9a72f94a331f71a3ab7364d73  corporate/4.0/x86_64/cpio-2.6-5.2.20060mlcs4.x86_64.rpm
 f6f389f792d26da8599ca3f52337bfda  corporate/4.0/x86_64/tar-1.15.1-5.5.20060mlcs4.x86_64.rpm 
 3ea902eef3045f53fc5731cd7d2ae9bd  corporate/4.0/SRPMS/cpio-2.6-5.2.20060mlcs4.src.rpm
 c4eb72165f7f6e82b8fa1e61f03ae8d8  corporate/4.0/SRPMS/tar-1.15.1-5.5.20060mlcs4.src.rpm

 Mandriva Enterprise Server 5:
 610988c42706cc2285fa96a76d3f8591  mes5/i586/cpio-2.9-5.1mdvmes5.i586.rpm
 54419d1d259783ed09eb650b50bcf92e  mes5/i586/tar-1.20-7.1mdvmes5.i586.rpm 
 68ee2df00ed5e14e2b63848cd859314b  mes5/SRPMS/cpio-2.9-5.1mdvmes5.src.rpm
 323b0d0f9724a8bb47a19f9515796aa1  mes5/SRPMS/tar-1.20-7.1mdvmes5.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 b15be67043a8fbafac508dee747145cc  mes5/x86_64/cpio-2.9-5.1mdvmes5.x86_64.rpm
 73e670bfd66de82d128329a65d616fd4  mes5/x86_64/tar-1.20-7.1mdvmes5.x86_64.rpm 
 68ee2df00ed5e14e2b63848cd859314b  mes5/SRPMS/cpio-2.9-5.1mdvmes5.src.rpm
 323b0d0f9724a8bb47a19f9515796aa1  mes5/SRPMS/tar-1.20-7.1mdvmes5.src.rpm

 Multi Network Firewall 2.0:
 cc7e0ee1931123b8d25535ef09a0bddb  mnf/2.0/i586/tar-1.13.25-11.2.C30mdk.i586.rpm 
 899c3024740570ebd77ee27ce2caddcc  mnf/2.0/SRPMS/tar-1.13.25-11.2.C30mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFLqJpomqjQ0CJFipgRAsHHAJ92YyeHoAhhZ5XYWMdaLkqyHUKgHACgzBwE
Yb3u2qifffzdMrYlo8FlDKY=
=8efe
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ