Skip to navigation

Security Advisory Moderate: cpio security update

Advisory: RHSA-2010:0145-1
Type: Security Advisory
Severity: Moderate
Issued on: 2010-03-15
Last updated on: 2010-03-15
Affected Products: Red Hat Desktop (v. 3)
Red Hat Enterprise Linux AS (v. 3)
Red Hat Enterprise Linux ES (v. 3)
Red Hat Enterprise Linux WS (v. 3)
CVEs (cve.mitre.org): CVE-2005-4268
CVE-2010-0624

Details

An updated cpio package that fixes two security issues is now available for
Red Hat Enterprise Linux 3.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

GNU cpio copies files into or out of a cpio or tar archive.

A heap-based buffer overflow flaw was found in the way cpio expanded
archive files. If a user were tricked into expanding a specially-crafted
archive, it could cause the cpio executable to crash or execute arbitrary
code with the privileges of the user running cpio. (CVE-2010-0624)

Red Hat would like to thank Jakob Lell for responsibly reporting the
CVE-2010-0624 issue.

A stack-based buffer overflow flaw was found in the way cpio expanded large
archive files. If a user expanded a specially-crafted archive, it could
cause the cpio executable to crash. This issue only affected 64-bit
platforms. (CVE-2005-4268)

Users of cpio are advised to upgrade to this updated package, which
contains backported patches to correct these issues.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

Red Hat Desktop (v. 3)

SRPMS:
ftp://updates.redhat.com/rhn/public/NULL/cpio/2.5-6.RHEL3/SRPMS/cpio-2.5-6.RHEL3.src.rpm
Missing file
    MD5: 6ff1e60dc42e73247273646156dc7cc2
SHA-256: 5846a25dcb6534577beb665acc6aa958332f6ca094cadd61be9951996675144d
 
IA-32:
ftp://updates.redhat.com/rhn/public/NULL/cpio/2.5-6.RHEL3/i386/cpio-2.5-6.RHEL3.i386.rpm
Missing file
    MD5: ca54b2d1ea07fd0bad5b341ab0a86f13
SHA-256: 1463315e480031a6f464183d5f68437550e5520bae056349bea74b0c9475096b
 
x86_64:
ftp://updates.redhat.com/rhn/public/NULL/cpio/2.5-6.RHEL3/x86_64/cpio-2.5-6.RHEL3.x86_64.rpm
Missing file
    MD5: dfe9d3108cceb8197a9f171b56571a7a
SHA-256: bd3c4db649623876a37f66b1b0eb737ca90805216ac3e45694b9ae3cc80b4049
 
Red Hat Enterprise Linux AS (v. 3)

SRPMS:
ftp://updates.redhat.com/rhn/public/NULL/cpio/2.5-6.RHEL3/SRPMS/cpio-2.5-6.RHEL3.src.rpm
Missing file
    MD5: 6ff1e60dc42e73247273646156dc7cc2
SHA-256: 5846a25dcb6534577beb665acc6aa958332f6ca094cadd61be9951996675144d
 
IA-32:
ftp://updates.redhat.com/rhn/public/NULL/cpio/2.5-6.RHEL3/i386/cpio-2.5-6.RHEL3.i386.rpm
Missing file
    MD5: ca54b2d1ea07fd0bad5b341ab0a86f13
SHA-256: 1463315e480031a6f464183d5f68437550e5520bae056349bea74b0c9475096b
 
IA-64:
ftp://updates.redhat.com/rhn/public/NULL/cpio/2.5-6.RHEL3/ia64/cpio-2.5-6.RHEL3.ia64.rpm
Missing file
    MD5: 019bf374f57b95552a839a62d40e1856
SHA-256: 6740c8f20d6f0cf443c4db9f2d83abc31a4a05e5fc9353d8fb0c897aaf869e30
 
PPC:
ftp://updates.redhat.com/rhn/public/NULL/cpio/2.5-6.RHEL3/ppc/cpio-2.5-6.RHEL3.ppc.rpm
Missing file
    MD5: a9a9c61fef5dd6a6c1c561e01f96dc3f
SHA-256: f3bdf904cf948c6e8e4c1c5f886301146ca81b0764ae165b88459f96bd302449
 
s390:
ftp://updates.redhat.com/rhn/public/NULL/cpio/2.5-6.RHEL3/s390/cpio-2.5-6.RHEL3.s390.rpm
Missing file
    MD5: 7eebc244f7f556955a62a465483834f9
SHA-256: 4da79658765d74b3b6d18d298cc1059e1f92c9dfe7aa441f43ec0dd9ea5b702b
 
s390x:
ftp://updates.redhat.com/rhn/public/NULL/cpio/2.5-6.RHEL3/s390x/cpio-2.5-6.RHEL3.s390x.rpm
Missing file
    MD5: 75916796082657c83fad23d88a33f130
SHA-256: 37d859cb060bb4c7029aa79a6952261bfc5ca4f6066db9c4679ea826e9ec455b
 
x86_64:
ftp://updates.redhat.com/rhn/public/NULL/cpio/2.5-6.RHEL3/x86_64/cpio-2.5-6.RHEL3.x86_64.rpm
Missing file
    MD5: dfe9d3108cceb8197a9f171b56571a7a
SHA-256: bd3c4db649623876a37f66b1b0eb737ca90805216ac3e45694b9ae3cc80b4049
 
Red Hat Enterprise Linux ES (v. 3)

SRPMS:
ftp://updates.redhat.com/rhn/public/NULL/cpio/2.5-6.RHEL3/SRPMS/cpio-2.5-6.RHEL3.src.rpm
Missing file
    MD5: 6ff1e60dc42e73247273646156dc7cc2
SHA-256: 5846a25dcb6534577beb665acc6aa958332f6ca094cadd61be9951996675144d
 
IA-32:
ftp://updates.redhat.com/rhn/public/NULL/cpio/2.5-6.RHEL3/i386/cpio-2.5-6.RHEL3.i386.rpm
Missing file
    MD5: ca54b2d1ea07fd0bad5b341ab0a86f13
SHA-256: 1463315e480031a6f464183d5f68437550e5520bae056349bea74b0c9475096b
 
IA-64:
ftp://updates.redhat.com/rhn/public/NULL/cpio/2.5-6.RHEL3/ia64/cpio-2.5-6.RHEL3.ia64.rpm
Missing file
    MD5: 019bf374f57b95552a839a62d40e1856
SHA-256: 6740c8f20d6f0cf443c4db9f2d83abc31a4a05e5fc9353d8fb0c897aaf869e30
 
x86_64:
ftp://updates.redhat.com/rhn/public/NULL/cpio/2.5-6.RHEL3/x86_64/cpio-2.5-6.RHEL3.x86_64.rpm
Missing file
    MD5: dfe9d3108cceb8197a9f171b56571a7a
SHA-256: bd3c4db649623876a37f66b1b0eb737ca90805216ac3e45694b9ae3cc80b4049
 
Red Hat Enterprise Linux WS (v. 3)

SRPMS:
ftp://updates.redhat.com/rhn/public/NULL/cpio/2.5-6.RHEL3/SRPMS/cpio-2.5-6.RHEL3.src.rpm
Missing file
    MD5: 6ff1e60dc42e73247273646156dc7cc2
SHA-256: 5846a25dcb6534577beb665acc6aa958332f6ca094cadd61be9951996675144d
 
IA-32:
ftp://updates.redhat.com/rhn/public/NULL/cpio/2.5-6.RHEL3/i386/cpio-2.5-6.RHEL3.i386.rpm
Missing file
    MD5: ca54b2d1ea07fd0bad5b341ab0a86f13
SHA-256: 1463315e480031a6f464183d5f68437550e5520bae056349bea74b0c9475096b
 
IA-64:
ftp://updates.redhat.com/rhn/public/NULL/cpio/2.5-6.RHEL3/ia64/cpio-2.5-6.RHEL3.ia64.rpm
Missing file
    MD5: 019bf374f57b95552a839a62d40e1856
SHA-256: 6740c8f20d6f0cf443c4db9f2d83abc31a4a05e5fc9353d8fb0c897aaf869e30
 
x86_64:
ftp://updates.redhat.com/rhn/public/NULL/cpio/2.5-6.RHEL3/x86_64/cpio-2.5-6.RHEL3.x86_64.rpm
Missing file
    MD5: dfe9d3108cceb8197a9f171b56571a7a
SHA-256: bd3c4db649623876a37f66b1b0eb737ca90805216ac3e45694b9ae3cc80b4049
 

Bugs fixed (see bugzilla for more information)

229191 - CVE-2005-4268 cpio large filesize buffer overflow
564368 - CVE-2010-0624 tar, cpio: Heap-based buffer overflow by expanding a specially-crafted archive


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/