what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Mandriva Linux Security Advisory 2010-065

Mandriva Linux Security Advisory 2010-065
Posted Mar 23, 2010
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2010-065 - Heap-based buffer overflow in the rmt_read__ function in lib/rtapelib.c in the rmt client functionality in GNU tar before 1.23 and GNU cpio before 2.11 allows remote rmt servers to cause a denial of service (memory corruption) or possibly execute arbitrary code by sending more (colon) character. The Tar package as shipped with Mandriva Linux is not affected by this vulnerability, but it was patched nonetheless in order to provide additional security to customers who recompile the package while having the rsh package installed. Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. The updated packages have been patched to correct this issue.

tags | advisory, remote, denial of service, overflow, arbitrary
systems | linux, mandriva
advisories | CVE-2010-0624
SHA-256 | c76ad343a946323626106b13f5b4855856acd6a8f4429eacd64b5224b9fafda3

Mandriva Linux Security Advisory 2010-065

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2010:065
http://www.mandriva.com/security/
_______________________________________________________________________

Package : cpio
Date : March 23, 2010
Affected: 2008.0, 2009.0, 2009.1, 2010.0, Corporate 4.0,
Enterprise Server 5.0, Multi Network Firewall 2.0
_______________________________________________________________________

Problem Description:

A vulnerability has been found and corrected in cpio and tar:

Heap-based buffer overflow in the rmt_read__ function in lib/rtapelib.c
in the rmt client functionality in GNU tar before 1.23 and GNU cpio
before 2.11 allows remote rmt servers to cause a denial of service
(memory corruption) or possibly execute arbitrary code by sending more
data than was requested, related to archive filenames that contain a :
(colon) character (CVE-2010-0624).

The Tar package as shipped with Mandriva Linux is not affected
by this vulnerability, but it was patched nonetheless in order to
provide additional security to customers who recompile the package
while having the rsh package installed.

Packages for 2008.0 are provided for Corporate Desktop 2008.0
customers.

The updated packages have been patched to correct this issue.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0624
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2008.0:
56cdfb4e12affc6594049570fb8d35ce 2008.0/i586/cpio-2.9-2.2mdv2008.0.i586.rpm
705c2df54a9920908909423da574b32d 2008.0/i586/tar-1.18-1.2mdv2008.0.i586.rpm
596789a93702aecd07562281c9d48f78 2008.0/SRPMS/cpio-2.9-2.2mdv2008.0.src.rpm
b1a645b471280fa0e51c38aedfa504aa 2008.0/SRPMS/tar-1.18-1.2mdv2008.0.src.rpm

Mandriva Linux 2008.0/X86_64:
d7eaf79ca34d67b5f152372813254cb1 2008.0/x86_64/cpio-2.9-2.2mdv2008.0.x86_64.rpm
2c97f01252660e80b9d00b7ebd7815e5 2008.0/x86_64/tar-1.18-1.2mdv2008.0.x86_64.rpm
596789a93702aecd07562281c9d48f78 2008.0/SRPMS/cpio-2.9-2.2mdv2008.0.src.rpm
b1a645b471280fa0e51c38aedfa504aa 2008.0/SRPMS/tar-1.18-1.2mdv2008.0.src.rpm

Mandriva Linux 2009.0:
a3058108cddda8dde95b20b9be7d2aae 2009.0/i586/cpio-2.9-5.1mdv2009.0.i586.rpm
8af041a2f14d3ea6761eb1ec77fa4964 2009.0/i586/tar-1.20-7.1mdv2009.0.i586.rpm
93f6cecaa13c9b3495721592305e1339 2009.0/SRPMS/cpio-2.9-5.1mdv2009.0.src.rpm
a755272047ac5cb179a5c294057154cd 2009.0/SRPMS/tar-1.20-7.1mdv2009.0.src.rpm

Mandriva Linux 2009.0/X86_64:
ab93a4d266e37076e233aa2367a8c478 2009.0/x86_64/cpio-2.9-5.1mdv2009.0.x86_64.rpm
67ed3f23bcc8a8b633cbd8c8d7b9516b 2009.0/x86_64/tar-1.20-7.1mdv2009.0.x86_64.rpm
93f6cecaa13c9b3495721592305e1339 2009.0/SRPMS/cpio-2.9-5.1mdv2009.0.src.rpm
a755272047ac5cb179a5c294057154cd 2009.0/SRPMS/tar-1.20-7.1mdv2009.0.src.rpm

Mandriva Linux 2009.1:
2d0eeca73eb44a8c7e41c50fd4c20add 2009.1/i586/cpio-2.9-6.1mdv2009.1.i586.rpm
3cff4bb92b1ca2e074e1382f555bf7bc 2009.1/i586/tar-1.21-2.1mdv2009.1.i586.rpm
b5be5792c0e7e755554eae6c373a40dd 2009.1/SRPMS/cpio-2.9-6.1mdv2009.1.src.rpm
a5ed5628ea098b1687cd432aff6adb38 2009.1/SRPMS/tar-1.21-2.1mdv2009.1.src.rpm

Mandriva Linux 2009.1/X86_64:
d15356d257890237b4176c3206f03b4d 2009.1/x86_64/cpio-2.9-6.1mdv2009.1.x86_64.rpm
edd4211deb588b7b649606e8585bd15a 2009.1/x86_64/tar-1.21-2.1mdv2009.1.x86_64.rpm
b5be5792c0e7e755554eae6c373a40dd 2009.1/SRPMS/cpio-2.9-6.1mdv2009.1.src.rpm
a5ed5628ea098b1687cd432aff6adb38 2009.1/SRPMS/tar-1.21-2.1mdv2009.1.src.rpm

Mandriva Linux 2010.0:
bbe43728f9f8db2ceabba5dcb375e4a7 2010.0/i586/cpio-2.10-1.1mdv2010.0.i586.rpm
d5f150a07bf5fb6e6918b49f80742031 2010.0/i586/tar-1.22-2.1mdv2010.0.i586.rpm
f3379cc3d9787bda215d08dd56d33e3c 2010.0/SRPMS/cpio-2.10-1.1mdv2010.0.src.rpm
d6f6ed62e6c1cc2bf1761408427ff0a1 2010.0/SRPMS/tar-1.22-2.1mdv2010.0.src.rpm

Mandriva Linux 2010.0/X86_64:
9bbaba5025e46793b44503684fe963a3 2010.0/x86_64/cpio-2.10-1.1mdv2010.0.x86_64.rpm
965f38e0f6d386e02d6a174f84871dd9 2010.0/x86_64/tar-1.22-2.1mdv2010.0.x86_64.rpm
f3379cc3d9787bda215d08dd56d33e3c 2010.0/SRPMS/cpio-2.10-1.1mdv2010.0.src.rpm
d6f6ed62e6c1cc2bf1761408427ff0a1 2010.0/SRPMS/tar-1.22-2.1mdv2010.0.src.rpm

Corporate 4.0:
f614d9c66ae80c195bff9126e1755284 corporate/4.0/i586/cpio-2.6-5.2.20060mlcs4.i586.rpm
2ab8ec94b6e698122a2965bc942f4507 corporate/4.0/i586/tar-1.15.1-5.5.20060mlcs4.i586.rpm
3ea902eef3045f53fc5731cd7d2ae9bd corporate/4.0/SRPMS/cpio-2.6-5.2.20060mlcs4.src.rpm
c4eb72165f7f6e82b8fa1e61f03ae8d8 corporate/4.0/SRPMS/tar-1.15.1-5.5.20060mlcs4.src.rpm

Corporate 4.0/X86_64:
459a97a9a72f94a331f71a3ab7364d73 corporate/4.0/x86_64/cpio-2.6-5.2.20060mlcs4.x86_64.rpm
f6f389f792d26da8599ca3f52337bfda corporate/4.0/x86_64/tar-1.15.1-5.5.20060mlcs4.x86_64.rpm
3ea902eef3045f53fc5731cd7d2ae9bd corporate/4.0/SRPMS/cpio-2.6-5.2.20060mlcs4.src.rpm
c4eb72165f7f6e82b8fa1e61f03ae8d8 corporate/4.0/SRPMS/tar-1.15.1-5.5.20060mlcs4.src.rpm

Mandriva Enterprise Server 5:
610988c42706cc2285fa96a76d3f8591 mes5/i586/cpio-2.9-5.1mdvmes5.i586.rpm
54419d1d259783ed09eb650b50bcf92e mes5/i586/tar-1.20-7.1mdvmes5.i586.rpm
68ee2df00ed5e14e2b63848cd859314b mes5/SRPMS/cpio-2.9-5.1mdvmes5.src.rpm
323b0d0f9724a8bb47a19f9515796aa1 mes5/SRPMS/tar-1.20-7.1mdvmes5.src.rpm

Mandriva Enterprise Server 5/X86_64:
b15be67043a8fbafac508dee747145cc mes5/x86_64/cpio-2.9-5.1mdvmes5.x86_64.rpm
73e670bfd66de82d128329a65d616fd4 mes5/x86_64/tar-1.20-7.1mdvmes5.x86_64.rpm
68ee2df00ed5e14e2b63848cd859314b mes5/SRPMS/cpio-2.9-5.1mdvmes5.src.rpm
323b0d0f9724a8bb47a19f9515796aa1 mes5/SRPMS/tar-1.20-7.1mdvmes5.src.rpm

Multi Network Firewall 2.0:
cc7e0ee1931123b8d25535ef09a0bddb mnf/2.0/i586/tar-1.13.25-11.2.C30mdk.i586.rpm
899c3024740570ebd77ee27ce2caddcc mnf/2.0/SRPMS/tar-1.13.25-11.2.C30mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFLqJpomqjQ0CJFipgRAsHHAJ92YyeHoAhhZ5XYWMdaLkqyHUKgHACgzBwE
Yb3u2qifffzdMrYlo8FlDKY=
=8efe
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    53 Files
  • 10
    May 10th
    0 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    0 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    0 Files
  • 17
    May 17th
    0 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close