First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 90619
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Sune Kloppenborg Jeppesen <jaervosz@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
cpio-2.6-alt-safer_name_suffix.patch cpio-2.6-alt-safer_name_suffix.patch patch Sune Kloppenborg Jeppesen 2005-04-27 08:02 0000 5.43 KB Details | Diff
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 90619 depends on: Show dependency tree
Show dependency graph
Bug 90619 blocks:

Additional Comments: (this is where you put emerge --info)







View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2005-04-27 08:01 0000 
cpio is vulnerable to a absolut-path issue which allows to unpack the content
to any location.

------- Comment #1 From Sune Kloppenborg Jeppesen 2005-04-27 08:02:34 0000 ------- 
Created an attachment (id=57389) [edit]
cpio-2.6-alt-safer_name_suffix.patch

Proposed patch by Dmitry V. Levin from altlinux.org

------- Comment #2 From SpanKY 2005-05-02 11:26:05 0000 ------- 
anyone know if cpio gnu maintainers have been notified ?  the fix isnt in their
upstream CVS

also, i dont think we need to keep this locked down ... redhat has added the
patch to their public CVS ...

------- Comment #3 From SpanKY 2005-05-02 14:46:29 0000 ------- 
cpio-2.6-r3 now in portage with the redhat fix

------- Comment #4 From Sune Kloppenborg Jeppesen 2005-05-02 22:29:37 0000 ------- 
Thx SpanKY.

Arches please test and mark stable.

------- Comment #5 From Jan Brinkmann (RETIRED) 2005-05-03 05:40:56 0000 ------- 
stable on amd64

------- Comment #6 From Gustavo Zacarias (RETIRED) 2005-05-03 06:05:48 0000 ------- 
sparc stable.

------- Comment #7 From Omkhar Arasaratnam (RETIRED) 2005-05-03 07:55:24 0000 ------- 
ppc64 stable

------- Comment #8 From Olivier Crete 2005-05-03 10:08:18 0000 ------- 
x86 stable

------- Comment #9 From Michael Hanselmann (hansmi) (RETIRED) 2005-05-03 13:06:24 0000 ------- 
Stable on ppc.

------- Comment #10 From Michael Hanselmann (hansmi) (RETIRED) 2005-05-03 14:05:43 0000 ------- 
Stable on hppa.

------- Comment #11 From Hasan Khalil (RETIRED) 2005-05-03 16:48:44 0000 ------- 
Stable on ppc-macos.

------- Comment #12 From Bryan Østergaard (RETIRED) 2005-05-04 01:24:26 0000 ------- 
Stable on alpha + ia64.

------- Comment #13 From SpanKY 2005-05-04 15:50:18 0000 ------- 
arm/s390 stable

------- Comment #14 From Sune Kloppenborg Jeppesen 2005-05-05 13:35:10 0000 ------- 
SpanKY thx for fixing CAN-2005-1111 (The TOCTOU issue) reference from the URL
above. But as far as I understand it these are two different problems.

------- Comment #15 From SpanKY 2005-05-05 14:51:24 0000 ------- 
heh, yes they are

i'll make another cpio but for the correct bug this time ;)

------- Comment #16 From Sune Kloppenborg Jeppesen 2005-05-08 22:36:05 0000 ------- 
SpanKY do we have a fix in CVS for this one yet?

------- Comment #17 From SpanKY 2005-05-09 17:53:41 0000 ------- 
e-mailed upstream to see what they want to do

------- Comment #18 From Sune Kloppenborg Jeppesen 2005-05-11 21:38:37 0000 ------- 
https://savannah.gnu.org/patch/?func=detailitem&item_id=4005
https://savannah.gnu.org/patch/?func=detailitem&item_id=4006
https://savannah.gnu.org/patch/?func=detailitem&item_id=4007

------- Comment #19 From Sune Kloppenborg Jeppesen 2005-05-15 22:23:15 0000 ------- 
SpanKY anything new on this one?

------- Comment #20 From Sune Kloppenborg Jeppesen 2005-05-25 06:52:22 0000 ------- 
SpanKY still no news?

------- Comment #21 From SpanKY 2005-06-16 21:35:15 0000 ------- 
sorry for the delay, my cvs checkout of upstream cpio was all screwed up so i
was trying to wait for them :/

cpio-2.6-r4 now in portage with fix

------- Comment #22 From Sune Kloppenborg Jeppesen 2005-06-16 22:09:50 0000 ------- 
Arches please test and mark stable.   
  
Note: If anyone is on m68k, please create an arch alias.

------- Comment #23 From Markus Rothe 2005-06-16 23:37:12 0000 ------- 
stable on ppc64

------- Comment #24 From Gustavo Zacarias (RETIRED) 2005-06-17 05:59:17 0000 ------- 
sparc stable.

------- Comment #25 From René Nussbaumer 2005-06-17 06:21:55 0000 ------- 
Stable on hppa.

------- Comment #26 From Jan Brinkmann (RETIRED) 2005-06-17 10:13:20 0000 ------- 
stable on amd64

------- Comment #27 From Michael Hanselmann (hansmi) (RETIRED) 2005-06-17 10:28:27 0000 ------- 
Stable on ppc.

------- Comment #28 From Fernando J. Pereda 2005-06-17 12:15:03 0000 ------- 
alpha stable

------- Comment #29 From Bryan Østergaard (RETIRED) 2005-06-19 05:22:30 0000 ------- 
ia64 stable.

------- Comment #30 From SpanKY 2005-06-19 12:51:36 0000 ------- 
arm/s390/x86 stable

------- Comment #31 From Luke Macken (RETIRED) 2005-06-19 20:25:43 0000 ------- 
GLSA 200506-16, thanks everyone!

------- Comment #32 From Joshua Kinard 2005-06-29 19:02:34 0000 ------- 
mips stable.
First Last Prev Next    No search results available      Search page      Enter new bug