Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 314663 - <app-arch/cpio-2.11: arbitrary code execution (CVE-2010-0624)
Summary: <app-arch/cpio-2.11: arbitrary code execution (CVE-2010-0624)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-04-11 13:44 UTC by Stefan Behte (RETIRED)
Modified: 2013-11-28 08:52 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2010-04-11 13:44:26 UTC 
+++ This bug was initially created as a clone of Bug #313333 +++

CVE-2010-0624 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0624):
  Heap-based buffer overflow in the rmt_read__ function in
  lib/rtapelib.c in the rmt client functionality in GNU tar before 1.23
  and GNU cpio before 2.11 allows remote rmt servers to cause a denial
  of service (memory corruption) or possibly execute arbitrary code by
  sending more data than was requested, related to archive filenames
  that contain a : (colon) character.
Comment 1 SpanKY gentoo-dev 2010-07-03 02:29:15 UTC 
i dont think there is any relationship to tar
Comment 2 Christian Faulhammer (RETIRED) gentoo-dev 2010-07-03 07:50:56 UTC 
x86 stable
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2010-07-05 20:28:05 UTC 
Stable for HPPA.
Comment 4 Samuli Suominen (RETIRED) gentoo-dev 2010-07-05 21:08:53 UTC 
ppc64 stable
Comment 5 Raúl Porcel (RETIRED) gentoo-dev 2010-07-08 18:16:34 UTC 
alpha/arm/ia64/m68k/s390/sh/sparc stable
Comment 6 Markos Chandras (RETIRED) gentoo-dev 2010-07-12 17:28:20 UTC 
amd64 done
Comment 7 Joe Jezak (RETIRED) gentoo-dev 2010-07-18 20:47:44 UTC 
Marked ppc stable.
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2011-01-02 03:39:32 UTC 
Thanks, folks. GLSA request filed.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2013-11-28 08:52:40 UTC 
This issue was resolved and addressed in
 GLSA 201311-21 at http://security.gentoo.org/glsa/glsa-201311-21.xml
by GLSA coordinator Sergey Popov (pinkbyte).