FIXED Martin Schulze schrieb am 07.10.2005 17:51: > -------------------------------------------------------------------------- > Debian Security Advisory DSA 846-1 security@debian.org > http://www.debian.org/security/ Martin Schulze > October 7th, 2005 http://www.debian.org/security/faq > -------------------------------------------------------------------------- > > Package : cpio > Vulnerability : several > Problem type : local (remote) > Debian-specific: no > CVE ID : CAN-2005-1111 CAN-2005-1229 > Debian Bug : 306693 305372 > > Two vulnerabilities have been discovered in cpio, a program to manage > archives of files. The Common Vulnerabilities and Exposures project > identifies the following problems: > > CAN-2005-1111 > > Imran Ghory discovered a race condition in setting the file > permissions of files extracted from cpio archives. A local > attacker with write access to the target directory could exploit > this to alter the permissions of arbitrary files the extracting > user has write permissions for. > > CAN-2005-1229 > > Imran Ghory discovered that cpio does not sanitise the path of > extracted files even if the --no-absolute-filenames option was > specified. This can be exploited to install files in arbitrary > locations where the extracting user has write permissions to. > > For the old stable distribution (woody) these problems have been fixed in > version 2.4.2-39woody2. > > For the stable distribution (sarge) these problems have been fixed in > version 2.5-1.3. > > For the unstable distribution (sid) these problems have been fixed in > version 2.6-6. > > We recommend that you upgrade your cpio package. > > > Upgrade Instructions > -------------------- > > wget url > will fetch the file for you > dpkg -i file.deb > will install the referenced file. > > If you are using the apt-get package manager, use the line for > sources.list as given below: > > apt-get update > will update the internal database > apt-get upgrade > will install corrected packages > > You may use an automated update by adding the resources from the > footer to the proper configuration. > > > Debian GNU/Linux 3.0 alias woody > -------------------------------- > > Source archives: > > http://security.debian.org/pool/updates/main/c/cpio/cpio_2.4.2-39woody2.dsc > Size/MD5 checksum: 549 15ede7cbecf63993116b4e6a6565a52a > http://security.debian.org/pool/updates/main/c/cpio/cpio_2.4.2-39woody2.diff.gz > Size/MD5 checksum: 23977 58175edde016c3ddb92804479697288f > http://security.debian.org/pool/updates/main/c/cpio/cpio_2.4.2.orig.tar.gz > Size/MD5 checksum: 181728 3e976db71229d52a8a135540698052df > > Alpha architecture: > > http://security.debian.org/pool/updates/main/c/cpio/cpio_2.4.2-39woody2_alpha.deb > Size/MD5 checksum: 72916 8a3c436670b93fe9d6c0d7b9c6620826 > > ARM architecture: > > http://security.debian.org/pool/updates/main/c/cpio/cpio_2.4.2-39woody2_arm.deb > Size/MD5 checksum: 64050 96781e9c208d4629c9bad9fd489a6752 > > Intel IA-32 architecture: > > http://security.debian.org/pool/updates/main/c/cpio/cpio_2.4.2-39woody2_i386.deb > Size/MD5 checksum: 61704 c4fd8a026047cd14a9516224d8319e13 > > Intel IA-64 architecture: > > http://security.debian.org/pool/updates/main/c/cpio/cpio_2.4.2-39woody2_ia64.deb > Size/MD5 checksum: 84576 5d9d925c312a5a9f141949c134fd23d3 > > HP Precision architecture: > > http://security.debian.org/pool/updates/main/c/cpio/cpio_2.4.2-39woody2_hppa.deb > Size/MD5 checksum: 69922 219bd8e8d9de88975eca8c8df4e9ddd9 > > Motorola 680x0 architecture: > > http://security.debian.org/pool/updates/main/c/cpio/cpio_2.4.2-39woody2_m68k.deb > Size/MD5 checksum: 59998 b4ef64480db82238635e1c7f5b851eee > > Big endian MIPS architecture: > > http://security.debian.org/pool/updates/main/c/cpio/cpio_2.4.2-39woody2_mips.deb > Size/MD5 checksum: 69160 a3f333c7b10c4f06a37de29de89844c1 > > Little endian MIPS architecture: > > http://security.debian.org/pool/updates/main/c/cpio/cpio_2.4.2-39woody2_mipsel.deb > Size/MD5 checksum: 68852 d704acf1b5d5c82ab024f6d45eab5686 > > PowerPC architecture: > > http://security.debian.org/pool/updates/main/c/cpio/cpio_2.4.2-39woody2_powerpc.deb > Size/MD5 checksum: 64284 4227c627aa48dc40cacdde9cb866322a > > IBM S/390 architecture: > > http://security.debian.org/pool/updates/main/c/cpio/cpio_2.4.2-39woody2_s390.deb > Size/MD5 checksum: 64190 975304691e816ea35e5b1a1edbaca8fc > > Sun Sparc architecture: > > http://security.debian.org/pool/updates/main/c/cpio/cpio_2.4.2-39woody2_sparc.deb > Size/MD5 checksum: 65916 e9fcc403a99fa3c930c9a7ede7daeef4 > > > Debian GNU/Linux 3.1 alias sarge > -------------------------------- > > Source archives: > > http://security.debian.org/pool/updates/main/c/cpio/cpio_2.5-1.3.dsc > Size/MD5 checksum: 533 ab5695c02739c74d12ceb5ccf15a2f9e > http://security.debian.org/pool/updates/main/c/cpio/cpio_2.5-1.3.diff.gz > Size/MD5 checksum: 26981 658f6330c2e56576251755f21291a22a > http://security.debian.org/pool/updates/main/c/cpio/cpio_2.5.orig.tar.gz > Size/MD5 checksum: 185480 e02859af1bbbbd73fcbf757acb57e0a4 > > Alpha architecture: > > http://security.debian.org/pool/updates/main/c/cpio/cpio_2.5-1.3_alpha.deb > Size/MD5 checksum: 75340 e5f2db24ac4a7fa37e03299092e04869 > > AMD64 architecture: > > http://security.debian.org/pool/updates/main/c/cpio/cpio_2.5-1.3_amd64.deb > Size/MD5 checksum: 68580 e04afdcd5c4cd7d4ae7b9314c91f2003 > > ARM architecture: > > http://security.debian.org/pool/updates/main/c/cpio/cpio_2.5-1.3_arm.deb > Size/MD5 checksum: 65356 599f5449dcd3c6774becab5db930c1eb > > Intel IA-32 architecture: > > http://security.debian.org/pool/updates/main/c/cpio/cpio_2.5-1.3_i386.deb > Size/MD5 checksum: 64862 0af18766ab51b22276fe1458e19e6dfa > > Intel IA-64 architecture: > > http://security.debian.org/pool/updates/main/c/cpio/cpio_2.5-1.3_ia64.deb > Size/MD5 checksum: 85968 ec853bd84c3c86a86edd1eaab3daaed9 > > HP Precision architecture: > > http://security.debian.org/pool/updates/main/c/cpio/cpio_2.5-1.3_hppa.deb > Size/MD5 checksum: 70918 7d189eac1083bf7171a3378e076bd41d > > Motorola 680x0 architecture: > > http://security.debian.org/pool/updates/main/c/cpio/cpio_2.5-1.3_m68k.deb > Size/MD5 checksum: 61566 5a1b92f6d84b61108c382f282541d4fd > > Big endian MIPS architecture: > > http://security.debian.org/pool/updates/main/c/cpio/cpio_2.5-1.3_mips.deb > Size/MD5 checksum: 73286 3e159d225f6ed5683206ee891e73e411 > > Little endian MIPS architecture: > > http://security.debian.org/pool/updates/main/c/cpio/cpio_2.5-1.3_mipsel.deb > Size/MD5 checksum: 72982 593e2f05e139ff23ba448289dde24085 > > PowerPC architecture: > > http://security.debian.org/pool/updates/main/c/cpio/cpio_2.5-1.3_powerpc.deb > Size/MD5 checksum: 67680 4fd0a44a984aa4dba6bde7144289fc82 > > IBM S/390 architecture: > > http://security.debian.org/pool/updates/main/c/cpio/cpio_2.5-1.3_s390.deb > Size/MD5 checksum: 68708 6ecc6f8ad9a1f5fd56eeea4fe421ef39 > > Sun Sparc architecture: > > http://security.debian.org/pool/updates/main/c/cpio/cpio_2.5-1.3_sparc.deb > Size/MD5 checksum: 64812 04cec657cd5681d4ab8c8e27f70d1653 > > > These files will probably be moved into the stable distribution on > its next update. > > --------------------------------------------------------------------------------- > For apt-get: deb http://security.debian.org/ stable/updates main > For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main > Mailing list: debian-security-announce@lists.debian.org > Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> > -- debianforum.de - die deutschsprachige Supportwebseite rund um das Debian-Projekt <http://www.debianforum.de>
Attachment:
signature.asc
Description: OpenPGP digital signature