Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 441
Alerts This Week
Warning Icon 1 441

Debian: DSA 846-1 Critical: Cpio Package Local Threats Fixed

debian
Calendar Grey October 7, 2005
Debian Logo
- --------------------------------------------------------------------------Debian Security Advisory
Updated package.

Summary


Imran Ghory discovered a race condition in setting the file
permissions of files extracted from cpio archives. A local
attacker with write access to the target directory could exploit
this to alter the permissions of arbitrary files the extracting
user has write permissions for.

CAN-2005-1229

Imran Ghory discovered that cpio does not sanitise the path of
extracted files even if the --no-absolute-filenames option was
specified. This can be exploited to install files in arbitrary
locations where the extracting user has write permissions to.

For the old stable distribution (woody) these problems have been fixed in
version 2.4.2-39woody2.

For the stable distribution (sarge) these problems have been fixed in
version 2.5-1.3.

For the unstable distribution (sid) these problems have been fixed in
version 2.6-6.

We recommend that you upgrade your cpio package.


Upgrade Instructions
- --------------------wget url
will fetch the file for you
...

Read the Full Advisory

Severity
critical
Lowest
Low
Medium
High
Critical

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.