|
|
>> Mandriva Security Update Fixes Multiple Cpio Vulnerabilities
|
Title : Mandriva Security Update Fixes Multiple Cpio Vulnerabilities
VUPEN ID : VUPEN/ADV-2005-1051
CVE ID : CVE-2005-1111 - CVE-2005-1229
CWE ID : CWE-
Rated as : Moderate Risk 
Remotely Exploitable : No
Locally Exploitable : Yes
Release Date : 2005-07-12
|
Mandriva has released a security patch to correct two vulnerabilities identified in Cpio. The first flaw is due to a directory traversal error when processing specially crafted cpio archives, which may be exploited by attackers to create files in arbitrary locations on the user's system. The second issue is due to a race condition which allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by cpio after the decompression is complete. For additional information, see : VUPEN/ADV-2005-0812
Affected Products
Mandrakelinux 10.0
Mandrakelinux 10.1
Mandrakelinux 10.2
Corporate Server 2.1
Corporate 3.0
Solution
Use MandrakeUpdate or apply the patches :
Mandrakelinux 10.0:
5e09657806ea7779182c7e5a49c22be8 10.0/RPMS/cpio-2.5-4.2.100mdk.i586.rpm
407b3cef16e5d7153c3af0a685df7109 10.0/SRPMS/cpio-2.5-4.2.100mdk.src.rpm
Mandrakelinux 10.0/AMD64:
4a1947f3c7fc27f0b6cc0d9bdf97cfd8 amd64/10.0/RPMS/cpio-2.5-4.2.100mdk.amd64.rpm
407b3cef16e5d7153c3af0a685df7109 amd64/10.0/SRPMS/cpio-2.5-4.2.100mdk.src.rpm
Mandrakelinux 10.1:
c808f5a1689a006e9049e1d8a37ede70 10.1/RPMS/cpio-2.5-4.3.101mdk.i586.rpm
907e5f404afe7cdd649f8aeaa8444914 10.1/SRPMS/cpio-2.5-4.3.101mdk.src.rpm
Mandrakelinux 10.1/X86_64:
71ab78c534f9552ad081c625e92afb45 x86_64/10.1/RPMS/cpio-2.5-4.3.101mdk.x86_64.rpm
907e5f404afe7cdd649f8aeaa8444914 x86_64/10.1/SRPMS/cpio-2.5-4.3.101mdk.src.rpm
Mandrakelinux 10.2:
9db16a5fa7bfc85aa7bb2d199ab5d825 10.2/RPMS/cpio-2.6-3.1.102mdk.i586.rpm
131667db822df5a4cec71e24cdc51b69 10.2/SRPMS/cpio-2.6-3.1.102mdk.src.rpm
Mandrakelinux 10.2/X86_64:
4d5b31e9bdd5d1c81fc61ec3a863f7ff x86_64/10.2/RPMS/cpio-2.6-3.1.102mdk.x86_64.rpm
131667db822df5a4cec71e24cdc51b69 x86_64/10.2/SRPMS/cpio-2.6-3.1.102mdk.src.rpm
Corporate Server 2.1:
fe2a5bdd208f9ce6fcf87b90a87dbbdf corporate/2.1/RPMS/cpio-2.5-4.2.C21mdk.i586.rpm
950d0f7e96d109e965fb9d6d8f500813 corporate/2.1/SRPMS/cpio-2.5-4.2.C21mdk.src.rpm
Corporate Server 2.1/X86_64:
826500d3531ce8aff99afaf97eb8a8a7 x86_64/corporate/2.1/RPMS/cpio-2.5-4.2.C21mdk.x86_64.rpm
950d0f7e96d109e965fb9d6d8f500813 x86_64/corporate/2.1/SRPMS/cpio-2.5-4.2.C21mdk.src.rpm
Corporate 3.0:
44667c0001e9da72f56c109f9f451c22 corporate/3.0/RPMS/cpio-2.5-4.2.C30mdk.i586.rpm
a7beddf04ef0e065dad9af2387393c22 corporate/3.0/SRPMS/cpio-2.5-4.2.C30mdk.src.rpm
Corporate 3.0/X86_64:
94803dd8ac6d1a1fc5436c04f097b4a1 x86_64/corporate/3.0/RPMS/cpio-2.5-4.2.C30mdk.x86_64.rpm
a7beddf04ef0e065dad9af2387393c22 x86_64/corporate/3.0/SRPMS/cpio-2.5-4.2.C30mdk.src.rpm
References
http://www.vupen.com/english/advisories/2005/1051
http://archives.mandrivalinux.com/security-announce/2005-07/msg00009.php
ChangeLog
2005-07-12 : Initial release
Vulnerability Management
Subscribe to VUPEN VNS and receive real-time alerts when new advisories or patches relevant to your systems and network configurations are available.
Feedback
If you have additional information or corrections for this security advisory please submit them via our contact form. | |
|
