Advisories

Mandriva Advisories

Package name cpio Date July 11th, 2005 Advisory ID MDKSA-2005:116 Affected versions 10.0, 10.1, CS2.1, CS3.0, MNF2.0, 10.2 Synopsis Updated cpio packages fix vulnerabilities

Problem Description

A race condition has been found in cpio 2.6 and earlier which allows local
users to modify permissions of arbitrary files via a hard link attack on
a file while it is being decompressed, whose permissions are changed by
cpio after the decompression is complete. (CAN-2005-1111)

A vulnerability has been discovered in cpio that allows a malicious cpio
file to extract to an arbitrary directory of the attackers choice.
Cpio will extract to the path specified in the cpio file, this path can be
absolute. (CAN-2005-1229)

The updated packages have been patched to address both of these issues.

Updated Packages

Mandrakelinux 10.0

 5e09657806ea7779182c7e5a49c22be8  10.0/RPMS/cpio-2.5-4.2.100mdk.i586.rpm
407b3cef16e5d7153c3af0a685df7109  10.0/SRPMS/cpio-2.5-4.2.100mdk.src.rpm

Mandrakelinux 10.0/AMD64

 4a1947f3c7fc27f0b6cc0d9bdf97cfd8  amd64/10.0/RPMS/cpio-2.5-4.2.100mdk.amd64.rpm
407b3cef16e5d7153c3af0a685df7109  amd64/10.0/SRPMS/cpio-2.5-4.2.100mdk.src.rpm

Mandrakelinux 10.1

 c808f5a1689a006e9049e1d8a37ede70  10.1/RPMS/cpio-2.5-4.3.101mdk.i586.rpm
907e5f404afe7cdd649f8aeaa8444914  10.1/SRPMS/cpio-2.5-4.3.101mdk.src.rpm

Mandrakelinux 10.1/X86_64

 71ab78c534f9552ad081c625e92afb45  x86_64/10.1/RPMS/cpio-2.5-4.3.101mdk.x86_64.rpm
907e5f404afe7cdd649f8aeaa8444914  x86_64/10.1/SRPMS/cpio-2.5-4.3.101mdk.src.rpm

Corporate Server 2.1

 fe2a5bdd208f9ce6fcf87b90a87dbbdf  corporate/2.1/RPMS/cpio-2.5-4.2.C21mdk.i586.rpm
950d0f7e96d109e965fb9d6d8f500813  corporate/2.1/SRPMS/cpio-2.5-4.2.C21mdk.src.rpm

Corporate Server 2.1/X86_64

 826500d3531ce8aff99afaf97eb8a8a7  x86_64/corporate/2.1/RPMS/cpio-2.5-4.2.C21mdk.x86_64.rpm
950d0f7e96d109e965fb9d6d8f500813  x86_64/corporate/2.1/SRPMS/cpio-2.5-4.2.C21mdk.src.rpm

Corporate Server 3.0

 44667c0001e9da72f56c109f9f451c22  corporate/3.0/RPMS/cpio-2.5-4.2.C30mdk.i586.rpm
a7beddf04ef0e065dad9af2387393c22  corporate/3.0/SRPMS/cpio-2.5-4.2.C30mdk.src.rpm

Corporate Server 3.0/X86_64

 94803dd8ac6d1a1fc5436c04f097b4a1  x86_64/corporate/3.0/RPMS/cpio-2.5-4.2.C30mdk.x86_64.rpm
a7beddf04ef0e065dad9af2387393c22  x86_64/corporate/3.0/SRPMS/cpio-2.5-4.2.C30mdk.src.rpm

Multi Network Firewall 2.0

 25c062c9ad406ac7f68f9339d4c5694a  mnf/2.0/RPMS/cpio-2.5-4.2.M20mdk.i586.rpm
06317e96fc89042c8869f1d2a5030705  mnf/2.0/SRPMS/cpio-2.5-4.2.M20mdk.src.rpm

Mandriva Linux LE2005

 9db16a5fa7bfc85aa7bb2d199ab5d825  10.2/RPMS/cpio-2.6-3.1.102mdk.i586.rpm
131667db822df5a4cec71e24cdc51b69  10.2/SRPMS/cpio-2.6-3.1.102mdk.src.rpm

Mandriva Linux LE2005/X86_64

 4d5b31e9bdd5d1c81fc61ec3a863f7ff  x86_64/10.2/RPMS/cpio-2.6-3.1.102mdk.x86_64.rpm
131667db822df5a4cec71e24cdc51b69  x86_64/10.2/SRPMS/cpio-2.6-3.1.102mdk.src.rpm

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1229
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1111

Upgrade

To upgrade automatically, use MandrivaUpdate.

Verification

Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :

                rpm --checksig package.rpm
                

You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.

If you use MandrivaUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.