Joined: 12 May 2004
|Posted: Sun Feb 15, 2015 4:26 pm Post subject: [ GLSA 201502-11 ] GNU cpio
|Gentoo Linux Security Advisory
Title: GNU cpio: Multiple vulnerabilities (GLSA 201502-11)
Date: February 15, 2015
Bug(s): #530512, #536010
Two vulnerabilities have been found in GNU cpio, the worst of which
could result in execution of arbitrary code.
GNU cpio copies files into or out of a cpio or tar archive.
Vulnerable: < 2.11-r3
Unaffected: >= 2.11-r3
Architectures: All supported architectures
Two vulnerabilities have been discovered in GNU cpio:
- The list_file function in GNU cpio contains a heap-based buffer
overflow vulnerability (CVE-2014-9112)
- A directory traversal vulnerability has been found in GNU cpio
A remote attacker may be able to entice a user to open a specially
crafted archive using GNU cpio, possibly resulting in execution of
arbitrary code, a Denial of Service condition, or overwriting arbitrary
There is no known workaround at this time.
All GNU cpio users should upgrade to the latest version:
|# emerge --sync
# emerge --ask --oneshot --verbose ">=app-arch/cpio-2.11-r3"
Last edited by GLSA on Thu Jun 18, 2015 4:17 am; edited 1 time in total