Vulnerability Bulletins |
Múltiples vulnerabilidades en cpio |
|
Vulnerability classification |
|
| Property | Value |
| Confidence level | Oficial |
| Impact | Integridad |
| Dificulty | Experto |
| Required attacker level | Acceso remoto sin cuenta a un servicio exotico |
System information |
|
| Property | Value |
| Affected manufacturer | GNU/Linux |
| Affected software | cpio |
Description |
|
|
Se han descubierto múltiples vulnerabilidades en la herramienta cpio. Las vulnerabilidades son descritas a continuación. - CAN-2005-1111: Vulnerabilidad de condición de carrera podría permitir a un atacante local modificar los permisos de archivos arbitrarios mediante un ataque de enlace duro ("hard link") mientras un archivo está siendo descomprimido a un directorio con permisos de escritura para el atacante. - CAN-2005-1229: Vulnerabilidad de directorio transversal podría permitir a un atacante remoto sobrescribir archivos arbitrarios del sistema mediante el uso de un archivo cpio especialmente diseñado que almacene archivos cuyo nombre contengan secuencias de "..". |
|
Solution |
|
|
Actualización de software Mandriva Linux Mandrakelinux 10.0 x86 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/RPMS/cpio-2.5-4.2.100mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/SRPMS/cpio-2.5-4.2.100mdk.src.rpm AMD64 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/10.0/RPMS/cpio-2.5-4.2.100mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/10.0/SRPMS/cpio-2.5-4.2.100mdk.src.rpm Mandrakelinux 10.1 x86 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.1/RPMS/cpio-2.5-4.3.101mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.1/SRPMS/cpio-2.5-4.3.101mdk.src.rpm X86_64 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.1/RPMS/cpio-2.5-4.3.101mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.1/SRPMS/cpio-2.5-4.3.101mdk.src.rpm Corporate Server 2.1 x86 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/2.1/RPMS/cpio-2.5-4.2.C21mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/2.1/SRPMS/cpio-2.5-4.2.C21mdk.src.rpm X86_64 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/2.1/RPMS/cpio-2.5-4.2.C21mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/2.1/SRPMS/cpio-2.5-4.2.C21mdk.src.rpm Corporate Server 3.0 x86 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/3.0/RPMS/cpio-2.5-4.2.C30mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/3.0/SRPMS/cpio-2.5-4.2.C30mdk.src.rpm X86_64 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/3.0/RPMS/cpio-2.5-4.2.C30mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/3.0/SRPMS/cpio-2.5-4.2.C30mdk.src.rpm Multi Network Firewall 2.0 x86 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/mnf/2.0/RPMS/cpio-2.5-4.2.M20mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/mnf/2.0/SRPMS/cpio-2.5-4.2.M20mdk.src.rpm Mandrivalinux LE2005 x86 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.2/RPMS/cpio-2.6-3.1.102mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.2/SRPMS/cpio-2.6-3.1.102mdk.src.rpm X86_64 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.2/RPMS/cpio-2.6-3.1.102mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.2/SRPMS/cpio-2.6-3.1.102mdk.src.rpm Red Hat Linux Red Hat Desktop (v. 3) Red Hat Desktop (v. 4) Red Hat Enterprise Linux AS (v. 3) Red Hat Enterprise Linux AS (v. 4) Red Hat Enterprise Linux ES (v. 3) Red Hat Enterprise Linux ES (v. 4) Red Hat Enterprise Linux WS (v. 3) Red Hat Enterprise Linux WS (v. 4) https://rhn.redhat.com/ Red Hat (CAN-2005-1111) Red Hat Enterprise Linux AS (v. 2.1) / SRPMS cpio-2.4.2-25.src.rpm Red Hat Enterprise Linux AS (v. 2.1) / IA-32 cpio-2.4.2-25.i386.rpm Red Hat Enterprise Linux AS (v. 2.1) / IA-64 cpio-2.4.2-25.ia64.rpm Red Hat Enterprise Linux ES (v. 2.1) / SRPMS cpio-2.4.2-25.src.rpm Red Hat Enterprise Linux ES (v. 2.1) / IA-32 cpio-2.4.2-25.i386.rpm Red Hat Enterprise Linux WS (v. 2.1) /SRPMS cpio-2.4.2-25.src.rpm Red Hat Enterprise Linux WS (v. 2.1) /IA-32 cpio-2.4.2-25.i386.rpm Red Hat Linux Advanced Workstation 2.1 Itanium / SRPMS cpio-2.4.2-25.src.rpm Red Hat Linux Advanced Workstation 2.1 Itanium / IA-64 cpio-2.4.2-25.ia64.rpm https://rhn.redhat.com/ SGI SGI Advanced Linux Environment 3 ftp://oss.sgi.com/projects/sgi_propack/download/3/updates/RPMS ftp://oss.sgi.com/projects/sgi_propack/download/3/updates/SRPMS SCO UnixWare 7.1.4 ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.32/erg712854.uw714.pkg.Z UnixWare 7.1.3 ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.32/erg712854.uw713.pkg.Z Debian Debian Linux 3.0 Source http://security.debian.org/pool/updates/main/c/cpio/cpio_2.4.2-39woody2.dsc http://security.debian.org/pool/updates/main/c/cpio/cpio_2.4.2-39woody2.diff.gz http://security.debian.org/pool/updates/main/c/cpio/cpio_2.4.2.orig.tar.gz Alpha http://security.debian.org/pool/updates/main/c/cpio/cpio_2.4.2-39woody2_alpha.deb ARM http://security.debian.org/pool/updates/main/c/cpio/cpio_2.4.2-39woody2_arm.deb Intel IA-32 http://security.debian.org/pool/updates/main/c/cpio/cpio_2.4.2-39woody2_i386.deb Intel IA-64 http://security.debian.org/pool/updates/main/c/cpio/cpio_2.4.2-39woody2_ia64.deb HP Precision http://security.debian.org/pool/updates/main/c/cpio/cpio_2.4.2-39woody2_hppa.deb Motorola 680x0 http://security.debian.org/pool/updates/main/c/cpio/cpio_2.4.2-39woody2_m68k.deb Big endian MIPS http://security.debian.org/pool/updates/main/c/cpio/cpio_2.4.2-39woody2_mips.deb Little endian MIPS http://security.debian.org/pool/updates/main/c/cpio/cpio_2.4.2-39woody2_mipsel.deb PowerPC http://security.debian.org/pool/updates/main/c/cpio/cpio_2.4.2-39woody2_powerpc.deb IBM S/390 http://security.debian.org/pool/updates/main/c/cpio/cpio_2.4.2-39woody2_s390.deb Sun Sparc http://security.debian.org/pool/updates/main/c/cpio/cpio_2.4.2-39woody2_sparc.deb Debian Linux 3.1 Source http://security.debian.org/pool/updates/main/c/cpio/cpio_2.5-1.3.dsc http://security.debian.org/pool/updates/main/c/cpio/cpio_2.5-1.3.diff.gz http://security.debian.org/pool/updates/main/c/cpio/cpio_2.5.orig.tar.gz Alpha http://security.debian.org/pool/updates/main/c/cpio/cpio_2.5-1.3_alpha.deb AMD64 http://security.debian.org/pool/updates/main/c/cpio/cpio_2.5-1.3_amd64.deb ARM http://security.debian.org/pool/updates/main/c/cpio/cpio_2.5-1.3_arm.deb Intel IA-32 http://security.debian.org/pool/updates/main/c/cpio/cpio_2.5-1.3_i386.deb Intel IA-64 http://security.debian.org/pool/updates/main/c/cpio/cpio_2.5-1.3_ia64.deb HP Precision http://security.debian.org/pool/updates/main/c/cpio/cpio_2.5-1.3_hppa.deb Motorola 680x0 http://security.debian.org/pool/updates/main/c/cpio/cpio_2.5-1.3_m68k.deb Big endian MIPS http://security.debian.org/pool/updates/main/c/cpio/cpio_2.5-1.3_mips.deb Little endian MIPS http://security.debian.org/pool/updates/main/c/cpio/cpio_2.5-1.3_mipsel.deb PowerPC http://security.debian.org/pool/updates/main/c/cpio/cpio_2.5-1.3_powerpc.deb IBM S/390 http://security.debian.org/pool/updates/main/c/cpio/cpio_2.5-1.3_s390.deb Sun Sparc http://security.debian.org/pool/updates/main/c/cpio/cpio_2.5-1.3_sparc.deb SCO OpenServer 5.0.7 ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2006.2/p532332.507_vol.tar OpenServer 6.0.0 ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2006.2/p532911.600_vol.tar FreeBSD FreeBSD 4.10, 4.11, 5.3, 5.4, 6.0 ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:03/cpio.patch Suse Linux Las actualizaciones pueden descargarse mediante YAST o del servidor FTP oficial de Suse Linux Mandriva (MDKSA-2007:233) Corporate Server 3.0 X86 corporate/3.0/i586/cpio-2.5-4.4.C30mdk.i586.rpm corporate/3.0/SRPMS/cpio-2.5-4.4.C30mdk.src.rpm X86_64 corporate/3.0/x86_64/cpio-2.5-4.4.C30mdk.x86_64.rpm corporate/3.0/SRPMS/cpio-2.5-4.4.C30mdk.src.rpm Multi Network Firewall 2.0 X86 ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/mnf/2.0/i586/media/main/updates/cpio-2.5-4.4.M20mdk.i586.rpm ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/mnf/2.0/SRPMS/main/updates/cpio-2.5-4.4.M20mdk.src.rpm Mandriva Linux 2007 X86 ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.0/i586/media/main/updates/cpio-2.6-7.1mdv2007.0.i586.rpm ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.0/SRPMS/main/updates/cpio-2.6-7.1mdv2007.0.src.rpm X86_64 ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.0/x86_64/media/main/updates/cpio-2.6-7.1mdv2007.0.x86_64.rpm ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.0/SRPMS/main/updates/cpio-2.6-7.1mdv2007.0.src.rpm Corporate Server 4.0 X86 corporate/4.0/i586/cpio-2.6-5.1.20060mlcs4.i586.rpm corporate/4.0/SRPMS/cpio-2.6-5.1.20060mlcs4.src.rpm X86_64 corporate/4.0/x86_64/cpio-2.6-5.1.20060mlcs4.x86_64.rpm corporate/4.0/SRPMS/cpio-2.6-5.1.20060mlcs4.src.rpm Mandriva Linux 2007.1 X86 ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.1/i586/media/main/updates/cpio-2.7-3.1mdv2007.1.i586.rpm ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.1/SRPMS/main/updates/cpio-2.7-3.1mdv2007.1.src.rpm X86_64 ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.1/x86_64/media/main/updates/cpio-2.7-3.1mdv2007.1.x86_64.rpm ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.1/SRPMS/main/updates/cpio-2.7-3.1mdv2007.1.src.rpm Mandriva Linux 2008.0 X86 ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2008.0/i586/media/main/updates/cpio-2.9-2.1mdv2008.0.i586.rpm ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2008.0/SRPMS/main/updates/cpio-2.9-2.1mdv2008.0.src.rpm X86_64 ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2008.0/x86_64/media/main/updates/cpio-2.9-2.1mdv2008.0.x86_64.rpm ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2008.0/SRPMS/main/updates/cpio-2.9-2.1mdv2008.0.src.rpm |
|
Standar resources |
|
| Property | Value |
| CVE |
CVE-2005-1111 CVE-2005-1229 |
| BID | 13159 |
Other resources |
|
|
Mandriva Security Advisories MDKSA-2005:116 http://www.mandriva.com/security/advisories?name=MDKSA-2005:116 Mandriva Security Advisories MDKSA-2005:116-1 http://www.mandriva.com/security/advisories?name=MDKSA-2005:116-1 Red Hat Security Advisory RHSA-2005:378-17 https://rhn.redhat.com/errata/RHSA-2005-378.html Red Hat Security Advisory (RHSA-2005:806-8) https://rhn.redhat.com/errata/RHSA-2005-806.html SGI Security advisory 20050802-01-U ftp://patches.sgi.com/support/free/security/advisories/20050802-01-U.asc SCO Security Advisory (SCOSA-2005.32) ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.32/SCOSA-2005.32.txt Debian Security Advisory (DSA 846-1) http://lists.debian.org/debian-security-announce/debian-security-announce-2005/msg00240.html SCO Security Advisory SCOSA-2006.2 ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2006.2/SCOSA-2006.2.txt FreeBSD Security Advisory (FreeBSD-SA-06:03.cpio) ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:03.cpio.asc SUSE Security Advisory (SUSE-SR:2006:010) http://www.novell.com/linux/security/advisories/12_may_06.html Mandriva Security Advisory (MDKSA-2007:233) http://www.mandriva.com/security/advisories?name=MDKSA-2007:233 |
|
Version history |
||
| Version | Comments | Date |
| 1.0 | Aviso emitido | 2005-07-12 |
| 1.1 | Aviso actualizado por Mandriva (MDKSA-2005:116-1) | 2005-07-20 |
| 1.2 | Aviso emitido por Red Hat (RHSA-2005:378-17) | 2005-07-22 |
| 1.3 | Aviso emitido por SGI (20050802-01-U) | 2005-08-26 |
| 1.4 | Aviso emitido por SCO (SCOSA-2005.32) | 2005-09-02 |
| 1.5 | Aviso emitido por Debian (DSA 846-1) | 2005-10-18 |
| 1.6 | Aviso emitido por Red Hat (RHSA-2005:806-8) | 2005-11-14 |
| 1.7 | Aviso emitido por SCO (SCOSA-2006.2) | 2006-01-04 |
| 1.8 | Aviso emitido por FreeBSD (FreeBSD-SA-06:03.cpio) | 2006-01-12 |
| 1.9 | Aviso emitido por Suse (SUSE-SR:2006:010) | 2006-05-19 |
| 1.10 | Aviso emitido por Mandriva (MDKSA-2007:233) | 2007-11-29 |