Debian: New cpio packages fix denial of service

    Date02 May 2008
    CategoryDebian
    4048
    Posted ByLinuxSecurity Advisories
    Dmitry Levin discovered a vulnerability in path handling code used by the cpio archive utility. The weakness could enable a denial of service (crash) or potentially the execution of arbitrary code if a vulnerable version of cpio is used to extract or to list the contents of a maliciously crafted archive.
    - ------------------------------------------------------------------------
    Debian Security Advisory DSA-1566-1                  This email address is being protected from spambots. You need JavaScript enabled to view it.
    http://www.debian.org/security/                               Steve Kemp
    May 02, 2008                          http://www.debian.org/security/faq
    - ------------------------------------------------------------------------
    
    Package        : cpio
    Vulnerability  : programming error
    Problem type   : local (remote)
    Debian-specific: no
    CVE Id(s)      : CVE-2007-4476
    
    Dmitry Levin discovered a vulnerability in path handling code used by
    the cpio archive utility.  The weakness could enable a denial of
    service (crash) or potentially the execution of arbitrary code if a
    vulnerable version of cpio is used to extract or to list the contents
    of a maliciously crafted archive.
    
    For the stable distribution (etch), these problems have been fixed in
    version 2.6-18.1+etch1.
    
    For the unstable distribution (sid), these problems have been fixed in
    version 2.9-5.
    
    We recommend that you upgrade your cpio packages.
    
    
    Upgrade instructions
    - --------------------
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    If you are using the apt-get package manager, use the line for
    sources.list as given below:
    
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    
    You may use an automated update by adding the resources from the
    footer to the proper configuration. 
    
    
    Debian GNU/Linux 4.0 alias etch
    - -------------------------------
    
    Source archives:
    
      http://security.debian.org/pool/updates/main/c/cpio/cpio_2.6.orig.tar.gz
        Size/MD5 checksum:   556018 76b4145f33df088a5bade3bf4373d17d
      http://security.debian.org/pool/updates/main/c/cpio/cpio_2.6-18.1+etch1.dsc
        Size/MD5 checksum:      556 fdcfe9fa17130663f3fcb21aebb52924
      http://security.debian.org/pool/updates/main/c/cpio/cpio_2.6-18.1+etch1.diff.gz
        Size/MD5 checksum:    92775 78d1098c15d92c0d5bfe6c5dcc4e5652
    
    alpha architecture (DEC Alpha)
    
      http://security.debian.org/pool/updates/main/c/cpio/cpio_2.6-18.1+etch1_alpha.deb
        Size/MD5 checksum:   146740 167eeae5237940f15b9eea7b1f754b65
    
    amd64 architecture (AMD x86_64 (AMD64))
    
      http://security.debian.org/pool/updates/main/c/cpio/cpio_2.6-18.1+etch1_amd64.deb
        Size/MD5 checksum:   136734 f827f70099b66a518fbd3e6782e7909b
    
    arm architecture (ARM)
    
      http://security.debian.org/pool/updates/main/c/cpio/cpio_2.6-18.1+etch1_arm.deb
        Size/MD5 checksum:   132108 b4ecfb2b81f84d1f82c268c0ccb0081d
    
    hppa architecture (HP PA RISC)
    
      http://security.debian.org/pool/updates/main/c/cpio/cpio_2.6-18.1+etch1_hppa.deb
        Size/MD5 checksum:   143166 b7ca87731e442f3eaaf117113bfc941a
    
    i386 architecture (Intel ia32)
    
      http://security.debian.org/pool/updates/main/c/cpio/cpio_2.6-18.1+etch1_i386.deb
        Size/MD5 checksum:   132096 c490f550663e524725544d389546e56f
    
    ia64 architecture (Intel ia64)
    
      http://security.debian.org/pool/updates/main/c/cpio/cpio_2.6-18.1+etch1_ia64.deb
        Size/MD5 checksum:   171990 be7ca34414f4bfa4129379c9eea3473f
    
    mips architecture (MIPS (Big Endian))
    
      http://security.debian.org/pool/updates/main/c/cpio/cpio_2.6-18.1+etch1_mips.deb
        Size/MD5 checksum:   146084 f57b7e09e1705692427220cd1932ea1a
    
    mipsel architecture (MIPS (Little Endian))
    
      http://security.debian.org/pool/updates/main/c/cpio/cpio_2.6-18.1+etch1_mipsel.deb
        Size/MD5 checksum:   145348 2010baf76d3039417c6b6bca1eba1246
    
    powerpc architecture (PowerPC)
    
      http://security.debian.org/pool/updates/main/c/cpio/cpio_2.6-18.1+etch1_powerpc.deb
        Size/MD5 checksum:   138322 229edae58b3b4387dcfdcf8717932cb4
    
    s390 architecture (IBM S/390)
    
      http://security.debian.org/pool/updates/main/c/cpio/cpio_2.6-18.1+etch1_s390.deb
        Size/MD5 checksum:   143878 60c6e036d5df8c67e74f301fa14b4e9f
    
    sparc architecture (Sun SPARC/UltraSPARC)
    
      http://security.debian.org/pool/updates/main/c/cpio/cpio_2.6-18.1+etch1_sparc.deb
        Size/MD5 checksum:   131248 63a51ec9ac633327f21d27c616d604ba
    
    
      These files will probably be moved into the stable distribution on
      its next update.
    
    - ---------------------------------------------------------------------------------
    For apt-get: deb http://security.debian.org/ stable/updates main
    For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"24","type":"x","order":"1","pct":54.55,"resources":[]},{"id":"88","title":"Should be more technical","votes":"5","type":"x","order":"2","pct":11.36,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"15","type":"x","order":"3","pct":34.09,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.