=========================================================== Ubuntu Security Notice USN-234-1 January 02, 2006 cpio vulnerability CVE-2005-4268 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) Ubuntu 5.10 (Breezy Badger) The following packages are affected: cpio The problem can be corrected by upgrading the affected package to version 2.5-1.1ubuntu0.3 (for Ubuntu 4.10), 2.5-1.1ubuntu1.2 (for Ubuntu 5.04), or 2.5-1.2ubuntu1.1 (for Ubuntu 5.10). In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Richard Harms discovered that cpio did not sufficiently validate file properties when creating archives. Files with e. g. a very large size caused a buffer overflow. By tricking a user or an automatic backup system into putting a specially crafted file into a cpio archive, a local attacker could probably exploit this to execute arbitrary code with the privileges of the target user (which is likely root in an automatic backup system). Updated packages for Ubuntu 4.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/c/cpio/cpio_2.5-1.1ubuntu0.3.diff.gz Size/MD5: 27861 30d956e1d7c6169dd30bcf4f85e198ec http://security.ubuntu.com/ubuntu/pool/main/c/cpio/cpio_2.5-1.1ubuntu0.3.dsc Size/MD5: 551 9cca8af73c1661423f75b5ca39dc3fd5 http://security.ubuntu.com/ubuntu/pool/main/c/cpio/cpio_2.5.orig.tar.gz Size/MD5: 185480 e02859af1bbbbd73fcbf757acb57e0a4 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/c/cpio/cpio_2.5-1.1ubuntu0.3_amd64.deb Size/MD5: 68856 253028eac0406c5742831edd9f7cc2e7 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/c/cpio/cpio_2.5-1.1ubuntu0.3_i386.deb Size/MD5: 64370 96ef06af0acb7eba610bab20b6552aa8 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/c/cpio/cpio_2.5-1.1ubuntu0.3_powerpc.deb Size/MD5: 67910 2b3012a5c0529d6589d779285455e444 Updated packages for Ubuntu 5.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/c/cpio/cpio_2.5-1.1ubuntu1.2.diff.gz Size/MD5: 27858 6d167bf59160bb49a356ad63aaf46ddd http://security.ubuntu.com/ubuntu/pool/main/c/cpio/cpio_2.5-1.1ubuntu1.2.dsc Size/MD5: 551 671b6542bb14aff13d27c5ff20e048e8 http://security.ubuntu.com/ubuntu/pool/main/c/cpio/cpio_2.5.orig.tar.gz Size/MD5: 185480 e02859af1bbbbd73fcbf757acb57e0a4 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/c/cpio/cpio_2.5-1.1ubuntu1.2_amd64.deb Size/MD5: 68910 1fa1ee8b327076ac4f7ba78c4f31f46d i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/c/cpio/cpio_2.5-1.1ubuntu1.2_i386.deb Size/MD5: 64192 a7fb45e72550bc1d5ec14bb073ffc000 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/c/cpio/cpio_2.5-1.1ubuntu1.2_powerpc.deb Size/MD5: 67938 3128b5006e24b0ab36fe8658b27bd15e Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/c/cpio/cpio_2.5-1.2ubuntu1.1.diff.gz Size/MD5: 27910 67535b38785a093b63e96989d15ce73b http://security.ubuntu.com/ubuntu/pool/main/c/cpio/cpio_2.5-1.2ubuntu1.1.dsc Size/MD5: 551 4831459b57acf5981235835a47f9e91b http://security.ubuntu.com/ubuntu/pool/main/c/cpio/cpio_2.5.orig.tar.gz Size/MD5: 185480 e02859af1bbbbd73fcbf757acb57e0a4 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/c/cpio/cpio_2.5-1.2ubuntu1.1_amd64.deb Size/MD5: 70568 cb8fa678380262c7f36a5eca7f75a8bf i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/c/cpio/cpio_2.5-1.2ubuntu1.1_i386.deb Size/MD5: 64630 882a2257d4658556bd0782f51ce49884 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/c/cpio/cpio_2.5-1.2ubuntu1.1_powerpc.deb Size/MD5: 68776 1d761237abc915aa6bdd3b5d7ad5e5f3
Attachment:
signature.asc
Description: Digital signature