MDKSA-2007:233

Package name

cpio

Date

2007-11-28

Advisory ID

MDKSA-2007:233

Affected versions

CS4.0 i586 , CS4.0 x86_64 , MNF2.0 i586 , 2007.0 x86_64 , 2007.1 i586 , 2007.0 i586 , CS3.0 x86_64 , 2008.0 x86_64 , CS3.0 i586 , 2008.0 i586 , 2007.1 x86_64

Problem description

Buffer overflow in the safer_name_suffix function in GNU cpio
has unspecified attack vectors and impact, resulting in a crashing
stack. This problem is originally found in tar, but affects cpio too,
due to similar code fragments. (CVE-2007-4476)

Directory traversal vulnerability in cpio 2.6 and earlier allows remote
attackers to write to arbitrary directories via a .. (dot dot) in a
cpio file. This is an old issue, affecting only Mandriva Corporate
Server 4 and Mandriva Linux 2007. (CVE-2005-1229)

Updated package fixes these issues.

Updated packages

CS4.0 i586

 79936c67409d3889d7988fecfde649b5  corporate/4.0/i586/cpio-2.6-5.1.20060mlcs4.i586.rpm 
 593f22ed1a261614a1f0d45932b6c441  corporate/4.0/SRPMS/cpio-2.6-5.1.20060mlcs4.src.rpm

CS4.0 x86_64

 a32dd1c2fcb89b32dacd9c7f5d56acd7  corporate/4.0/x86_64/cpio-2.6-5.1.20060mlcs4.x86_64.rpm 
 593f22ed1a261614a1f0d45932b6c441  corporate/4.0/SRPMS/cpio-2.6-5.1.20060mlcs4.src.rpm

MNF2.0 i586

 3abab72dae445f67c65d58f975f8816c  mnf/2.0/i586/cpio-2.5-4.4.M20mdk.i586.rpm 
 2a1e733d240e05b2771c135ebcbca4d4  mnf/2.0/SRPMS/cpio-2.5-4.4.M20mdk.src.rpm

2007.0 x86_64

 fc1e32f7b528997237b392b1c1da9c3c  2007.0/x86_64/cpio-2.6-7.1mdv2007.0.x86_64.rpm 
 250697255ccc671ca2a01c2ba762aac6  2007.0/SRPMS/cpio-2.6-7.1mdv2007.0.src.rpm

2007.1 i586

 0814f474aa054b2b7fc92af6e1f5ba01  2007.1/i586/cpio-2.7-3.1mdv2007.1.i586.rpm 
 7292ed206fa271c377cbe72577b42a0d  2007.1/SRPMS/cpio-2.7-3.1mdv2007.1.src.rpm

2007.0 i586

 88af30721a848b5fd4b3e26c5c055846  2007.0/i586/cpio-2.6-7.1mdv2007.0.i586.rpm 
 250697255ccc671ca2a01c2ba762aac6  2007.0/SRPMS/cpio-2.6-7.1mdv2007.0.src.rpm

CS3.0 x86_64

 dc91afd2f8c7b93a95b898cc9a98182a  corporate/3.0/x86_64/cpio-2.5-4.4.C30mdk.x86_64.rpm 
 10e1e7fcb59c195b6f679b80e75fade0  corporate/3.0/SRPMS/cpio-2.5-4.4.C30mdk.src.rpm

2008.0 x86_64

 953e95a47bb9a978aa1b98e1c7f56e65  2008.0/x86_64/cpio-2.9-2.1mdv2008.0.x86_64.rpm 
 de436966331be58abba226049bff8edf  2008.0/SRPMS/cpio-2.9-2.1mdv2008.0.src.rpm

CS3.0 i586

 4dfe1f2b387d396eca07927d65a77ce4  corporate/3.0/i586/cpio-2.5-4.4.C30mdk.i586.rpm 
 10e1e7fcb59c195b6f679b80e75fade0  corporate/3.0/SRPMS/cpio-2.5-4.4.C30mdk.src.rpm

2008.0 i586

 a6747328c665be64979fee53f3878fdb  2008.0/i586/cpio-2.9-2.1mdv2008.0.i586.rpm 
 de436966331be58abba226049bff8edf  2008.0/SRPMS/cpio-2.9-2.1mdv2008.0.src.rpm

2007.1 x86_64

 851d9793b6f791817bc76b558f8fdd5b  2007.1/x86_64/cpio-2.7-3.1mdv2007.1.x86_64.rpm 
 7292ed206fa271c377cbe72577b42a0d  2007.1/SRPMS/cpio-2.7-3.1mdv2007.1.src.rpm

References

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1229
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4476