Lucene search

K

Gentoo FoundationMGASA-2015-0080

HistoryFeb 19, 2015 - 5:43 p.m.

Updated cpio package fixes security vulnerability

2015-02-1917:43:07

Gentoo Foundation

advisories.mageia.org

11

1.9 Low

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:L/AC:M/Au:N/C:N/I:P/A:N

0.0004 Low

EPSS

Percentile

9.0%

In GNU Cpio 2.11, the --no-absolute-filenames option limits extracting contents of an archive to be strictly inside a current directory. However, it can be bypassed with symlinks. While extracting an archive, it will extract symlinks and then follow them if they are referenced in further entries. This can be exploited by a rogue archive to write files outside the current directory (CVE-2015-1197).

OSVersionArchitecturePackageVersionFilename
Mageia4noarchcpio< 2.11-6.3cpio-2.11-6.3.mga4

References

bugs.debian.org/cgi-bin/bugreport.cgi?bug=774669

bugs.mageia.org/show_bug.cgi?id=15308

1.9 Low

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:L/AC:M/Au:N/C:N/I:P/A:N

0.0004 Low

EPSS

Percentile

9.0%

Related for MGASA-2015-0080

openvas14 nessus22 ubuntucve2 securityvulns2 alpinelinux1 prion2 debiancve2 amazon2 cve4 archlinux1 thn1 freebsd2 packetstorm1 zdt1 metasploit1 ubuntu1 securelist1 redhatcve2 gentoo1 mageia1 attackerkb1 rapid7blog1