FreeBSD Local Security Checks : FreeBSD Security Advisory (FreeBSD-SA-06:03.cpio.asc)

Price/Feature Summary | Order | New Vulnerabilities | Confidentiality | Vulnerability Search

Vulnerability Search		Search 61204 CVE descriptions and 32582 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.0.56108

Category: FreeBSD Local Security Checks

Title: FreeBSD Security Advisory (FreeBSD-SA-06:03.cpio.asc)

Summary: FreeBSD Security Advisory (FreeBSD-SA-06:03.cpio.asc)

Description: The remote host is missing an update to the system
as announced in the referenced advisory FreeBSD-SA-06:03.cpio.asc

The cpio utility copies files into or out of a cpio or tar archive.

A number of issues has been discovered in cpio:

. When creating a new file, cpio closes the file before setting its
permissions. (CVE-2005-1111)

. When extracting files cpio does not properly sanitize file names
to filter out .. components, even if the --no-absolute-filenames
option is used. (CVE-2005-1229)

. When adding large files (larger than 4 GB) to a cpio archive on
64-bit platforms an internal buffer might overflow. (CVE-2005-4268)

Solution:
Upgrade your system to the appropriate stable release
or security branch dated after the correction date

http://www.securityspace.com/smysecure/catid.html?in=FreeBSD-SA-06:03.cpio.asc

Cross-Ref: BugTraq ID: 13159
Common Vulnerability Exposure (CVE) ID: CVE-2005-1111
Bugtraq: 20050413 cpio TOCTOU file-permissions vulnerability (Google Search)
http://marc.theaimsgroup.com/?l=bugtraq&m=111342664116120&w=2
Debian Security Information: DSA-846 (Google Search)
http://www.debian.org/security/2005/dsa-846
FreeBSD Security Advisory: FreeBSD-SA-06:03
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:03.cpio.asc
http://www.redhat.com/support/errata/RHSA-2005-806.html
http://www.redhat.com/support/errata/RHSA-2005-378.html
SCO Security Bulletin: SCOSA-2005.32
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.32/SCOSA-2005.32.txt
SCO Security Bulletin: SCOSA-2006.2
ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2006.2/SCOSA-2006.2.txt
SuSE Security Announcement: SUSE-SR:2006:010 (Google Search)
http://lists.suse.com/archive/suse-security-announce/2006-May/0004.html
http://www.ubuntu.com/usn/usn-189-1
http://www.securityfocus.com/bid/13159
http://www.osvdb.org/15725
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:358
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:9783
http://secunia.com/advisories/18290
http://secunia.com/advisories/18395
http://secunia.com/advisories/17123
http://secunia.com/advisories/17532
http://secunia.com/advisories/16998
http://secunia.com/advisories/20117

Copyright Copyright (c) 2006 E-Soft Inc. http://www.securityspace.com

This is only one of 32582 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

New User Registration
Email:

UserID:

Passwd:

Please email me your monthly newsletters, informing the latest services, improvements & surveys.

Please email me a vulnerability test announcement whenever a new test is added.

Privacy

Registered User Login

UserID:

Passwd:

Forgot userid or passwd?

Email/Userid:

Test ID:	1.3.6.1.4.1.25623.1.0.56108
Category:	FreeBSD Local Security Checks
Title:	FreeBSD Security Advisory (FreeBSD-SA-06:03.cpio.asc)
Summary:	FreeBSD Security Advisory (FreeBSD-SA-06:03.cpio.asc)
Description:	The remote host is missing an update to the system as announced in the referenced advisory FreeBSD-SA-06:03.cpio.asc The cpio utility copies files into or out of a cpio or tar archive. A number of issues has been discovered in cpio: . When creating a new file, cpio closes the file before setting its permissions. (CVE-2005-1111) . When extracting files cpio does not properly sanitize file names to filter out .. components, even if the --no-absolute-filenames option is used. (CVE-2005-1229) . When adding large files (larger than 4 GB) to a cpio archive on 64-bit platforms an internal buffer might overflow. (CVE-2005-4268) Solution: Upgrade your system to the appropriate stable release or security branch dated after the correction date http://www.securityspace.com/smysecure/catid.html?in=FreeBSD-SA-06:03.cpio.asc
Cross-Ref:	BugTraq ID: 13159 Common Vulnerability Exposure (CVE) ID: CVE-2005-1111 Bugtraq: 20050413 cpio TOCTOU file-permissions vulnerability (Google Search) http://marc.theaimsgroup.com/?l=bugtraq&m=111342664116120&w=2 Debian Security Information: DSA-846 (Google Search) http://www.debian.org/security/2005/dsa-846 FreeBSD Security Advisory: FreeBSD-SA-06:03 ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:03.cpio.asc http://www.redhat.com/support/errata/RHSA-2005-806.html http://www.redhat.com/support/errata/RHSA-2005-378.html SCO Security Bulletin: SCOSA-2005.32 ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.32/SCOSA-2005.32.txt SCO Security Bulletin: SCOSA-2006.2 ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2006.2/SCOSA-2006.2.txt SuSE Security Announcement: SUSE-SR:2006:010 (Google Search) http://lists.suse.com/archive/suse-security-announce/2006-May/0004.html http://www.ubuntu.com/usn/usn-189-1 http://www.securityfocus.com/bid/13159 http://www.osvdb.org/15725 http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:358 http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:9783 http://secunia.com/advisories/18290 http://secunia.com/advisories/18395 http://secunia.com/advisories/17123 http://secunia.com/advisories/17532 http://secunia.com/advisories/16998 http://secunia.com/advisories/20117
Copyright	Copyright (c) 2006 E-Soft Inc. http://www.securityspace.com