Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 452
Alerts This Week
Warning Icon 1 452

Ubuntu 14.10: USN-2456-1 Critical Cpio Denial Of Service Issue

ubuntu
Calendar Grey January 8, 2015
Dist Ubuntu Esm H88
Ubuntu Security Notice USN-2457-1 addresses cpio issues impacting several versions. Discover additional details here.
The GNU cpio program could be made to crash or run programs if itopened a specially crafted file or received specially crafted input.

Summary

The GNU cpio program could be made to crash or run programs if it

opened a specially crafted file or received specially crafted input.

Software Description:

- cpio: a program to manage archives of files

Details:

Michal Zalewski discovered an out of bounds write issue in the

process_copy_in function of GNU cpio. An attacker could specially

craft a cpio archive that could create a denial of service or possibly

execute arbitrary code. (CVE-2014-9112)

Jakob Lell discovered a heap-based buffer overflow in the rmt_read__

function of GNU cpio's rmt client functionality. An attacker

controlling a remote rmt server could use this to cause a denial of

service or possibly execute arbitrary code. This issue only affected

Ubuntu 10.04 LTS. (CVE-2010-0624)

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.10:
  cpio                            2.11+dfsg-2ubuntu1.1

Ubuntu 14.04 LTS:
  cpio                            2.11+dfsg-1ubuntu1.1

Ubuntu 12.04 LTS:
  cpio                            2.11-7ubuntu3.1

Ubuntu 10.04 LTS:
  cpio                            2.10-1ubuntu2.1

In general, a standard system update will make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-2456-1

CVE-2010-0624, CVE-2014-9112

Severity
critical
Lowest
Low
Medium
High
Critical

January 08, 2015

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.