Skip to navigation

Security Advisory Moderate: cpio security update

Advisory: RHSA-2010:0143-1
Type: Security Advisory
Severity: Moderate
Issued on: 2010-03-15
Last updated on: 2010-03-15
Affected Products: Red Hat Desktop (v. 4)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux AS (v. 4.8.z)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux ES (v. 4.8.z)
Red Hat Enterprise Linux WS (v. 4)
CVEs (cve.mitre.org): CVE-2010-0624

Details

An updated cpio package that fixes one security issue is now available for
Red Hat Enterprise Linux 4.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

GNU cpio copies files into or out of a cpio or tar archive.

A heap-based buffer overflow flaw was found in the way cpio expanded
archive files. If a user were tricked into expanding a specially-crafted
archive, it could cause the cpio executable to crash or execute arbitrary
code with the privileges of the user running cpio. (CVE-2010-0624)

Red Hat would like to thank Jakob Lell for responsibly reporting this
issue.

Users of cpio are advised to upgrade to this updated package, which
contains a backported patch to correct this issue.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

Red Hat Desktop (v. 4)

SRPMS:
cpio-2.5-16.el4_8.1.src.rpm     MD5: 9ce665bab450c63d42b45ee52699ec72
SHA-256: a1d3ce140b95b78e386787ab99908ed6de21e3a994a0b1f64fa7b31bb274dd7d
 
IA-32:
cpio-2.5-16.el4_8.1.i386.rpm     MD5: e266c92860d3ba4f4cd9d88b5ff05150
SHA-256: 73d943b651bcbd5547616e7cf18af52cd67da2632ec8b79f1c4e48b3a2008d0d
 
x86_64:
cpio-2.5-16.el4_8.1.x86_64.rpm     MD5: 6c329d470e7331dbe129b4c460732a69
SHA-256: bb659a21cc628d03a7eb925ba4ec579c60281264d386c169e58d75a6dadacc4b
 
Red Hat Enterprise Linux AS (v. 4)

SRPMS:
cpio-2.5-16.el4_8.1.src.rpm     MD5: 9ce665bab450c63d42b45ee52699ec72
SHA-256: a1d3ce140b95b78e386787ab99908ed6de21e3a994a0b1f64fa7b31bb274dd7d
 
IA-32:
cpio-2.5-16.el4_8.1.i386.rpm     MD5: e266c92860d3ba4f4cd9d88b5ff05150
SHA-256: 73d943b651bcbd5547616e7cf18af52cd67da2632ec8b79f1c4e48b3a2008d0d
 
IA-64:
cpio-2.5-16.el4_8.1.ia64.rpm     MD5: 09a0d2d3ddb3e9f402a9ab2343826516
SHA-256: 34c20a7b498e7833e6f9c761f4a2331960f680f85ba0c47d8f5c84b1e14ad423
 
PPC:
cpio-2.5-16.el4_8.1.ppc.rpm     MD5: 092f4c341deb5779601e01d8d4adc47f
SHA-256: 332acf4a0a0ed9753ceb5ef5bbc2bd0df857ff5eeaacc22073ed453e77c5d2a4
 
s390:
cpio-2.5-16.el4_8.1.s390.rpm     MD5: a475359ad204ef356b2da1fdf8d4759f
SHA-256: decbc9170b5a95d97a6c103b0355f64fbd3ffa5daa69192b288a7a915ff7a0b5
 
s390x:
cpio-2.5-16.el4_8.1.s390x.rpm     MD5: 14456fccc62344b8eb67a2a486852ec5
SHA-256: 00d231becfdba6a920edc4f48448553336fd05a313442bb5080afb7dc7637077
 
x86_64:
cpio-2.5-16.el4_8.1.x86_64.rpm     MD5: 6c329d470e7331dbe129b4c460732a69
SHA-256: bb659a21cc628d03a7eb925ba4ec579c60281264d386c169e58d75a6dadacc4b
 
Red Hat Enterprise Linux AS (v. 4.8.z)

SRPMS:
cpio-2.5-16.el4_8.1.src.rpm     MD5: 9ce665bab450c63d42b45ee52699ec72
SHA-256: a1d3ce140b95b78e386787ab99908ed6de21e3a994a0b1f64fa7b31bb274dd7d
 
IA-32:
cpio-2.5-16.el4_8.1.i386.rpm     MD5: e266c92860d3ba4f4cd9d88b5ff05150
SHA-256: 73d943b651bcbd5547616e7cf18af52cd67da2632ec8b79f1c4e48b3a2008d0d
 
IA-64:
cpio-2.5-16.el4_8.1.ia64.rpm     MD5: 09a0d2d3ddb3e9f402a9ab2343826516
SHA-256: 34c20a7b498e7833e6f9c761f4a2331960f680f85ba0c47d8f5c84b1e14ad423
 
PPC:
cpio-2.5-16.el4_8.1.ppc.rpm     MD5: 092f4c341deb5779601e01d8d4adc47f
SHA-256: 332acf4a0a0ed9753ceb5ef5bbc2bd0df857ff5eeaacc22073ed453e77c5d2a4
 
s390:
cpio-2.5-16.el4_8.1.s390.rpm     MD5: a475359ad204ef356b2da1fdf8d4759f
SHA-256: decbc9170b5a95d97a6c103b0355f64fbd3ffa5daa69192b288a7a915ff7a0b5
 
s390x:
cpio-2.5-16.el4_8.1.s390x.rpm     MD5: 14456fccc62344b8eb67a2a486852ec5
SHA-256: 00d231becfdba6a920edc4f48448553336fd05a313442bb5080afb7dc7637077
 
x86_64:
cpio-2.5-16.el4_8.1.x86_64.rpm     MD5: 6c329d470e7331dbe129b4c460732a69
SHA-256: bb659a21cc628d03a7eb925ba4ec579c60281264d386c169e58d75a6dadacc4b
 
Red Hat Enterprise Linux ES (v. 4)

SRPMS:
cpio-2.5-16.el4_8.1.src.rpm     MD5: 9ce665bab450c63d42b45ee52699ec72
SHA-256: a1d3ce140b95b78e386787ab99908ed6de21e3a994a0b1f64fa7b31bb274dd7d
 
IA-32:
cpio-2.5-16.el4_8.1.i386.rpm     MD5: e266c92860d3ba4f4cd9d88b5ff05150
SHA-256: 73d943b651bcbd5547616e7cf18af52cd67da2632ec8b79f1c4e48b3a2008d0d
 
IA-64:
cpio-2.5-16.el4_8.1.ia64.rpm     MD5: 09a0d2d3ddb3e9f402a9ab2343826516
SHA-256: 34c20a7b498e7833e6f9c761f4a2331960f680f85ba0c47d8f5c84b1e14ad423
 
x86_64:
cpio-2.5-16.el4_8.1.x86_64.rpm     MD5: 6c329d470e7331dbe129b4c460732a69
SHA-256: bb659a21cc628d03a7eb925ba4ec579c60281264d386c169e58d75a6dadacc4b
 
Red Hat Enterprise Linux ES (v. 4.8.z)

SRPMS:
cpio-2.5-16.el4_8.1.src.rpm     MD5: 9ce665bab450c63d42b45ee52699ec72
SHA-256: a1d3ce140b95b78e386787ab99908ed6de21e3a994a0b1f64fa7b31bb274dd7d
 
IA-32:
cpio-2.5-16.el4_8.1.i386.rpm     MD5: e266c92860d3ba4f4cd9d88b5ff05150
SHA-256: 73d943b651bcbd5547616e7cf18af52cd67da2632ec8b79f1c4e48b3a2008d0d
 
IA-64:
cpio-2.5-16.el4_8.1.ia64.rpm     MD5: 09a0d2d3ddb3e9f402a9ab2343826516
SHA-256: 34c20a7b498e7833e6f9c761f4a2331960f680f85ba0c47d8f5c84b1e14ad423
 
x86_64:
cpio-2.5-16.el4_8.1.x86_64.rpm     MD5: 6c329d470e7331dbe129b4c460732a69
SHA-256: bb659a21cc628d03a7eb925ba4ec579c60281264d386c169e58d75a6dadacc4b
 
Red Hat Enterprise Linux WS (v. 4)

SRPMS:
cpio-2.5-16.el4_8.1.src.rpm     MD5: 9ce665bab450c63d42b45ee52699ec72
SHA-256: a1d3ce140b95b78e386787ab99908ed6de21e3a994a0b1f64fa7b31bb274dd7d
 
IA-32:
cpio-2.5-16.el4_8.1.i386.rpm     MD5: e266c92860d3ba4f4cd9d88b5ff05150
SHA-256: 73d943b651bcbd5547616e7cf18af52cd67da2632ec8b79f1c4e48b3a2008d0d
 
IA-64:
cpio-2.5-16.el4_8.1.ia64.rpm     MD5: 09a0d2d3ddb3e9f402a9ab2343826516
SHA-256: 34c20a7b498e7833e6f9c761f4a2331960f680f85ba0c47d8f5c84b1e14ad423
 
x86_64:
cpio-2.5-16.el4_8.1.x86_64.rpm     MD5: 6c329d470e7331dbe129b4c460732a69
SHA-256: bb659a21cc628d03a7eb925ba4ec579c60281264d386c169e58d75a6dadacc4b
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

564368 - CVE-2010-0624 tar, cpio: Heap-based buffer overflow by expanding a specially-crafted archive


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/