[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <E1Nu4k4-00055I-Jl@titan.mandriva.com>
Date: Tue, 23 Mar 2010 15:06:00 +0100
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2010:065 ] cpio
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2010:065
http://www.mandriva.com/security/
_______________________________________________________________________
Package : cpio
Date : March 23, 2010
Affected: 2008.0, 2009.0, 2009.1, 2010.0, Corporate 4.0,
Enterprise Server 5.0, Multi Network Firewall 2.0
_______________________________________________________________________
Problem Description:
A vulnerability has been found and corrected in cpio and tar:
Heap-based buffer overflow in the rmt_read__ function in lib/rtapelib.c
in the rmt client functionality in GNU tar before 1.23 and GNU cpio
before 2.11 allows remote rmt servers to cause a denial of service
(memory corruption) or possibly execute arbitrary code by sending more
data than was requested, related to archive filenames that contain a :
(colon) character (CVE-2010-0624).
The Tar package as shipped with Mandriva Linux is not affected
by this vulnerability, but it was patched nonetheless in order to
provide additional security to customers who recompile the package
while having the rsh package installed.
Packages for 2008.0 are provided for Corporate Desktop 2008.0
customers.
The updated packages have been patched to correct this issue.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0624
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2008.0:
56cdfb4e12affc6594049570fb8d35ce 2008.0/i586/cpio-2.9-2.2mdv2008.0.i586.rpm
705c2df54a9920908909423da574b32d 2008.0/i586/tar-1.18-1.2mdv2008.0.i586.rpm
596789a93702aecd07562281c9d48f78 2008.0/SRPMS/cpio-2.9-2.2mdv2008.0.src.rpm
b1a645b471280fa0e51c38aedfa504aa 2008.0/SRPMS/tar-1.18-1.2mdv2008.0.src.rpm
Mandriva Linux 2008.0/X86_64:
d7eaf79ca34d67b5f152372813254cb1 2008.0/x86_64/cpio-2.9-2.2mdv2008.0.x86_64.rpm
2c97f01252660e80b9d00b7ebd7815e5 2008.0/x86_64/tar-1.18-1.2mdv2008.0.x86_64.rpm
596789a93702aecd07562281c9d48f78 2008.0/SRPMS/cpio-2.9-2.2mdv2008.0.src.rpm
b1a645b471280fa0e51c38aedfa504aa 2008.0/SRPMS/tar-1.18-1.2mdv2008.0.src.rpm
Mandriva Linux 2009.0:
a3058108cddda8dde95b20b9be7d2aae 2009.0/i586/cpio-2.9-5.1mdv2009.0.i586.rpm
8af041a2f14d3ea6761eb1ec77fa4964 2009.0/i586/tar-1.20-7.1mdv2009.0.i586.rpm
93f6cecaa13c9b3495721592305e1339 2009.0/SRPMS/cpio-2.9-5.1mdv2009.0.src.rpm
a755272047ac5cb179a5c294057154cd 2009.0/SRPMS/tar-1.20-7.1mdv2009.0.src.rpm
Mandriva Linux 2009.0/X86_64:
ab93a4d266e37076e233aa2367a8c478 2009.0/x86_64/cpio-2.9-5.1mdv2009.0.x86_64.rpm
67ed3f23bcc8a8b633cbd8c8d7b9516b 2009.0/x86_64/tar-1.20-7.1mdv2009.0.x86_64.rpm
93f6cecaa13c9b3495721592305e1339 2009.0/SRPMS/cpio-2.9-5.1mdv2009.0.src.rpm
a755272047ac5cb179a5c294057154cd 2009.0/SRPMS/tar-1.20-7.1mdv2009.0.src.rpm
Mandriva Linux 2009.1:
2d0eeca73eb44a8c7e41c50fd4c20add 2009.1/i586/cpio-2.9-6.1mdv2009.1.i586.rpm
3cff4bb92b1ca2e074e1382f555bf7bc 2009.1/i586/tar-1.21-2.1mdv2009.1.i586.rpm
b5be5792c0e7e755554eae6c373a40dd 2009.1/SRPMS/cpio-2.9-6.1mdv2009.1.src.rpm
a5ed5628ea098b1687cd432aff6adb38 2009.1/SRPMS/tar-1.21-2.1mdv2009.1.src.rpm
Mandriva Linux 2009.1/X86_64:
d15356d257890237b4176c3206f03b4d 2009.1/x86_64/cpio-2.9-6.1mdv2009.1.x86_64.rpm
edd4211deb588b7b649606e8585bd15a 2009.1/x86_64/tar-1.21-2.1mdv2009.1.x86_64.rpm
b5be5792c0e7e755554eae6c373a40dd 2009.1/SRPMS/cpio-2.9-6.1mdv2009.1.src.rpm
a5ed5628ea098b1687cd432aff6adb38 2009.1/SRPMS/tar-1.21-2.1mdv2009.1.src.rpm
Mandriva Linux 2010.0:
bbe43728f9f8db2ceabba5dcb375e4a7 2010.0/i586/cpio-2.10-1.1mdv2010.0.i586.rpm
d5f150a07bf5fb6e6918b49f80742031 2010.0/i586/tar-1.22-2.1mdv2010.0.i586.rpm
f3379cc3d9787bda215d08dd56d33e3c 2010.0/SRPMS/cpio-2.10-1.1mdv2010.0.src.rpm
d6f6ed62e6c1cc2bf1761408427ff0a1 2010.0/SRPMS/tar-1.22-2.1mdv2010.0.src.rpm
Mandriva Linux 2010.0/X86_64:
9bbaba5025e46793b44503684fe963a3 2010.0/x86_64/cpio-2.10-1.1mdv2010.0.x86_64.rpm
965f38e0f6d386e02d6a174f84871dd9 2010.0/x86_64/tar-1.22-2.1mdv2010.0.x86_64.rpm
f3379cc3d9787bda215d08dd56d33e3c 2010.0/SRPMS/cpio-2.10-1.1mdv2010.0.src.rpm
d6f6ed62e6c1cc2bf1761408427ff0a1 2010.0/SRPMS/tar-1.22-2.1mdv2010.0.src.rpm
Corporate 4.0:
f614d9c66ae80c195bff9126e1755284 corporate/4.0/i586/cpio-2.6-5.2.20060mlcs4.i586.rpm
2ab8ec94b6e698122a2965bc942f4507 corporate/4.0/i586/tar-1.15.1-5.5.20060mlcs4.i586.rpm
3ea902eef3045f53fc5731cd7d2ae9bd corporate/4.0/SRPMS/cpio-2.6-5.2.20060mlcs4.src.rpm
c4eb72165f7f6e82b8fa1e61f03ae8d8 corporate/4.0/SRPMS/tar-1.15.1-5.5.20060mlcs4.src.rpm
Corporate 4.0/X86_64:
459a97a9a72f94a331f71a3ab7364d73 corporate/4.0/x86_64/cpio-2.6-5.2.20060mlcs4.x86_64.rpm
f6f389f792d26da8599ca3f52337bfda corporate/4.0/x86_64/tar-1.15.1-5.5.20060mlcs4.x86_64.rpm
3ea902eef3045f53fc5731cd7d2ae9bd corporate/4.0/SRPMS/cpio-2.6-5.2.20060mlcs4.src.rpm
c4eb72165f7f6e82b8fa1e61f03ae8d8 corporate/4.0/SRPMS/tar-1.15.1-5.5.20060mlcs4.src.rpm
Mandriva Enterprise Server 5:
610988c42706cc2285fa96a76d3f8591 mes5/i586/cpio-2.9-5.1mdvmes5.i586.rpm
54419d1d259783ed09eb650b50bcf92e mes5/i586/tar-1.20-7.1mdvmes5.i586.rpm
68ee2df00ed5e14e2b63848cd859314b mes5/SRPMS/cpio-2.9-5.1mdvmes5.src.rpm
323b0d0f9724a8bb47a19f9515796aa1 mes5/SRPMS/tar-1.20-7.1mdvmes5.src.rpm
Mandriva Enterprise Server 5/X86_64:
b15be67043a8fbafac508dee747145cc mes5/x86_64/cpio-2.9-5.1mdvmes5.x86_64.rpm
73e670bfd66de82d128329a65d616fd4 mes5/x86_64/tar-1.20-7.1mdvmes5.x86_64.rpm
68ee2df00ed5e14e2b63848cd859314b mes5/SRPMS/cpio-2.9-5.1mdvmes5.src.rpm
323b0d0f9724a8bb47a19f9515796aa1 mes5/SRPMS/tar-1.20-7.1mdvmes5.src.rpm
Multi Network Firewall 2.0:
cc7e0ee1931123b8d25535ef09a0bddb mnf/2.0/i586/tar-1.13.25-11.2.C30mdk.i586.rpm
899c3024740570ebd77ee27ce2caddcc mnf/2.0/SRPMS/tar-1.13.25-11.2.C30mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFLqJpomqjQ0CJFipgRAsHHAJ92YyeHoAhhZ5XYWMdaLkqyHUKgHACgzBwE
Yb3u2qifffzdMrYlo8FlDKY=
=8efe
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists