-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2010:065 http://www.mandriva.com/security/ _______________________________________________________________________ Package : cpio Date : March 23, 2010 Affected: 2008.0, 2009.0, 2009.1, 2010.0, Corporate 4.0, Enterprise Server 5.0, Multi Network Firewall 2.0 _______________________________________________________________________ Problem Description: A vulnerability has been found and corrected in cpio and tar: Heap-based buffer overflow in the rmt_read__ function in lib/rtapelib.c in the rmt client functionality in GNU tar before 1.23 and GNU cpio before 2.11 allows remote rmt servers to cause a denial of service (memory corruption) or possibly execute arbitrary code by sending more data than was requested, related to archive filenames that contain a : (colon) character (CVE-2010-0624). The Tar package as shipped with Mandriva Linux is not affected by this vulnerability, but it was patched nonetheless in order to provide additional security to customers who recompile the package while having the rsh package installed. Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. The updated packages have been patched to correct this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0624 _______________________________________________________________________ Updated Packages: Mandriva Linux 2008.0: 56cdfb4e12affc6594049570fb8d35ce 2008.0/i586/cpio-2.9-2.2mdv2008.0.i586.rpm 705c2df54a9920908909423da574b32d 2008.0/i586/tar-1.18-1.2mdv2008.0.i586.rpm 596789a93702aecd07562281c9d48f78 2008.0/SRPMS/cpio-2.9-2.2mdv2008.0.src.rpm b1a645b471280fa0e51c38aedfa504aa 2008.0/SRPMS/tar-1.18-1.2mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: d7eaf79ca34d67b5f152372813254cb1 2008.0/x86_64/cpio-2.9-2.2mdv2008.0.x86_64.rpm 2c97f01252660e80b9d00b7ebd7815e5 2008.0/x86_64/tar-1.18-1.2mdv2008.0.x86_64.rpm 596789a93702aecd07562281c9d48f78 2008.0/SRPMS/cpio-2.9-2.2mdv2008.0.src.rpm b1a645b471280fa0e51c38aedfa504aa 2008.0/SRPMS/tar-1.18-1.2mdv2008.0.src.rpm Mandriva Linux 2009.0: a3058108cddda8dde95b20b9be7d2aae 2009.0/i586/cpio-2.9-5.1mdv2009.0.i586.rpm 8af041a2f14d3ea6761eb1ec77fa4964 2009.0/i586/tar-1.20-7.1mdv2009.0.i586.rpm 93f6cecaa13c9b3495721592305e1339 2009.0/SRPMS/cpio-2.9-5.1mdv2009.0.src.rpm a755272047ac5cb179a5c294057154cd 2009.0/SRPMS/tar-1.20-7.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: ab93a4d266e37076e233aa2367a8c478 2009.0/x86_64/cpio-2.9-5.1mdv2009.0.x86_64.rpm 67ed3f23bcc8a8b633cbd8c8d7b9516b 2009.0/x86_64/tar-1.20-7.1mdv2009.0.x86_64.rpm 93f6cecaa13c9b3495721592305e1339 2009.0/SRPMS/cpio-2.9-5.1mdv2009.0.src.rpm a755272047ac5cb179a5c294057154cd 2009.0/SRPMS/tar-1.20-7.1mdv2009.0.src.rpm Mandriva Linux 2009.1: 2d0eeca73eb44a8c7e41c50fd4c20add 2009.1/i586/cpio-2.9-6.1mdv2009.1.i586.rpm 3cff4bb92b1ca2e074e1382f555bf7bc 2009.1/i586/tar-1.21-2.1mdv2009.1.i586.rpm b5be5792c0e7e755554eae6c373a40dd 2009.1/SRPMS/cpio-2.9-6.1mdv2009.1.src.rpm a5ed5628ea098b1687cd432aff6adb38 2009.1/SRPMS/tar-1.21-2.1mdv2009.1.src.rpm Mandriva Linux 2009.1/X86_64: d15356d257890237b4176c3206f03b4d 2009.1/x86_64/cpio-2.9-6.1mdv2009.1.x86_64.rpm edd4211deb588b7b649606e8585bd15a 2009.1/x86_64/tar-1.21-2.1mdv2009.1.x86_64.rpm b5be5792c0e7e755554eae6c373a40dd 2009.1/SRPMS/cpio-2.9-6.1mdv2009.1.src.rpm a5ed5628ea098b1687cd432aff6adb38 2009.1/SRPMS/tar-1.21-2.1mdv2009.1.src.rpm Mandriva Linux 2010.0: bbe43728f9f8db2ceabba5dcb375e4a7 2010.0/i586/cpio-2.10-1.1mdv2010.0.i586.rpm d5f150a07bf5fb6e6918b49f80742031 2010.0/i586/tar-1.22-2.1mdv2010.0.i586.rpm f3379cc3d9787bda215d08dd56d33e3c 2010.0/SRPMS/cpio-2.10-1.1mdv2010.0.src.rpm d6f6ed62e6c1cc2bf1761408427ff0a1 2010.0/SRPMS/tar-1.22-2.1mdv2010.0.src.rpm Mandriva Linux 2010.0/X86_64: 9bbaba5025e46793b44503684fe963a3 2010.0/x86_64/cpio-2.10-1.1mdv2010.0.x86_64.rpm 965f38e0f6d386e02d6a174f84871dd9 2010.0/x86_64/tar-1.22-2.1mdv2010.0.x86_64.rpm f3379cc3d9787bda215d08dd56d33e3c 2010.0/SRPMS/cpio-2.10-1.1mdv2010.0.src.rpm d6f6ed62e6c1cc2bf1761408427ff0a1 2010.0/SRPMS/tar-1.22-2.1mdv2010.0.src.rpm Corporate 4.0: f614d9c66ae80c195bff9126e1755284 corporate/4.0/i586/cpio-2.6-5.2.20060mlcs4.i586.rpm 2ab8ec94b6e698122a2965bc942f4507 corporate/4.0/i586/tar-1.15.1-5.5.20060mlcs4.i586.rpm 3ea902eef3045f53fc5731cd7d2ae9bd corporate/4.0/SRPMS/cpio-2.6-5.2.20060mlcs4.src.rpm c4eb72165f7f6e82b8fa1e61f03ae8d8 corporate/4.0/SRPMS/tar-1.15.1-5.5.20060mlcs4.src.rpm Corporate 4.0/X86_64: 459a97a9a72f94a331f71a3ab7364d73 corporate/4.0/x86_64/cpio-2.6-5.2.20060mlcs4.x86_64.rpm f6f389f792d26da8599ca3f52337bfda corporate/4.0/x86_64/tar-1.15.1-5.5.20060mlcs4.x86_64.rpm 3ea902eef3045f53fc5731cd7d2ae9bd corporate/4.0/SRPMS/cpio-2.6-5.2.20060mlcs4.src.rpm c4eb72165f7f6e82b8fa1e61f03ae8d8 corporate/4.0/SRPMS/tar-1.15.1-5.5.20060mlcs4.src.rpm Mandriva Enterprise Server 5: 610988c42706cc2285fa96a76d3f8591 mes5/i586/cpio-2.9-5.1mdvmes5.i586.rpm 54419d1d259783ed09eb650b50bcf92e mes5/i586/tar-1.20-7.1mdvmes5.i586.rpm 68ee2df00ed5e14e2b63848cd859314b mes5/SRPMS/cpio-2.9-5.1mdvmes5.src.rpm 323b0d0f9724a8bb47a19f9515796aa1 mes5/SRPMS/tar-1.20-7.1mdvmes5.src.rpm Mandriva Enterprise Server 5/X86_64: b15be67043a8fbafac508dee747145cc mes5/x86_64/cpio-2.9-5.1mdvmes5.x86_64.rpm 73e670bfd66de82d128329a65d616fd4 mes5/x86_64/tar-1.20-7.1mdvmes5.x86_64.rpm 68ee2df00ed5e14e2b63848cd859314b mes5/SRPMS/cpio-2.9-5.1mdvmes5.src.rpm 323b0d0f9724a8bb47a19f9515796aa1 mes5/SRPMS/tar-1.20-7.1mdvmes5.src.rpm Multi Network Firewall 2.0: cc7e0ee1931123b8d25535ef09a0bddb mnf/2.0/i586/tar-1.13.25-11.2.C30mdk.i586.rpm 899c3024740570ebd77ee27ce2caddcc mnf/2.0/SRPMS/tar-1.13.25-11.2.C30mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFLqJpomqjQ0CJFipgRAsHHAJ92YyeHoAhhZ5XYWMdaLkqyHUKgHACgzBwE Yb3u2qifffzdMrYlo8FlDKY= =8efe -----END PGP SIGNATURE-----