Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 314663

Summary: <app-arch/cpio-2.11: arbitrary code execution (CVE-2010-0624)
Product: Gentoo Security Reporter: Stefan Behte (RETIRED) <craig>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: base-system
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=564368
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---

Description Stefan Behte (RETIRED) gentoo-dev Security 2010-04-11 13:44:26 UTC
+++ This bug was initially created as a clone of Bug #313333 +++

CVE-2010-0624 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0624):
  Heap-based buffer overflow in the rmt_read__ function in
  lib/rtapelib.c in the rmt client functionality in GNU tar before 1.23
  and GNU cpio before 2.11 allows remote rmt servers to cause a denial
  of service (memory corruption) or possibly execute arbitrary code by
  sending more data than was requested, related to archive filenames
  that contain a : (colon) character.
Comment 1 SpanKY gentoo-dev 2010-07-03 02:29:15 UTC
i dont think there is any relationship to tar
Comment 2 Christian Faulhammer (RETIRED) gentoo-dev 2010-07-03 07:50:56 UTC
x86 stable
Comment 3 Jeroen Roovers gentoo-dev 2010-07-05 20:28:05 UTC
Stable for HPPA.
Comment 4 Samuli Suominen gentoo-dev 2010-07-05 21:08:53 UTC
ppc64 stable
Comment 5 Raúl Porcel (RETIRED) gentoo-dev 2010-07-08 18:16:34 UTC
alpha/arm/ia64/m68k/s390/sh/sparc stable
Comment 6 Markos Chandras (RETIRED) gentoo-dev 2010-07-12 17:28:20 UTC
amd64 done
Comment 7 Joe Jezak (RETIRED) gentoo-dev 2010-07-18 20:47:44 UTC
Marked ppc stable.
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2011-01-02 03:39:32 UTC
Thanks, folks. GLSA request filed.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2013-11-28 08:52:40 UTC
This issue was resolved and addressed in
 GLSA 201311-21 at http://security.gentoo.org/glsa/glsa-201311-21.xml
by GLSA coordinator Sergey Popov (pinkbyte).