Synopsis

Moderate: cpio security update

Type/Severity

Security Advisory: Moderate

Topic

An updated cpio package that fixes one security issue is now available for
Red Hat Enterprise Linux 4.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

Description

GNU cpio copies files into or out of a cpio or tar archive.

A heap-based buffer overflow flaw was found in the way cpio expanded
archive files. If a user were tricked into expanding a specially-crafted
archive, it could cause the cpio executable to crash or execute arbitrary
code with the privileges of the user running cpio. (CVE-2010-0624)

Red Hat would like to thank Jakob Lell for responsibly reporting this
issue.

Users of cpio are advised to upgrade to this updated package, which
contains a backported patch to correct this issue.

Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Affected Products

• Red Hat Enterprise Linux Server 4 x86_64
• Red Hat Enterprise Linux Server 4 ia64
• Red Hat Enterprise Linux Server 4 i386
• Red Hat Enterprise Linux Server - Extended Update Support 4.8 x86_64
• Red Hat Enterprise Linux Server - Extended Update Support 4.8 ia64
• Red Hat Enterprise Linux Server - Extended Update Support 4.8 i386
• Red Hat Enterprise Linux Workstation 4 x86_64
• Red Hat Enterprise Linux Workstation 4 ia64
• Red Hat Enterprise Linux Workstation 4 i386
• Red Hat Enterprise Linux Desktop 4 x86_64
• Red Hat Enterprise Linux Desktop 4 i386
• Red Hat Enterprise Linux for IBM z Systems 4 s390x
• Red Hat Enterprise Linux for IBM z Systems 4 s390
• Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 4.8 s390x
• Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 4.8 s390
• Red Hat Enterprise Linux for Power, big endian 4 ppc
• Red Hat Enterprise Linux for Power, big endian - Extended Update Support 4.8 ppc

Fixes

• BZ - 564368 - CVE-2010-0624 tar, cpio: Heap-based buffer overflow by expanding a specially-crafted archive

CVEs

• CVE-2010-0624

References

• http://www.redhat.com/security/updates/classification/#moderate

Red Hat Enterprise Linux Server 4

SRPM
cpio-2.5-16.el4_8.1.src.rpm	SHA-256: a1d3ce140b95b78e386787ab99908ed6de21e3a994a0b1f64fa7b31bb274dd7d
x86_64
cpio-2.5-16.el4_8.1.x86_64.rpm	SHA-256: bb659a21cc628d03a7eb925ba4ec579c60281264d386c169e58d75a6dadacc4b
cpio-2.5-16.el4_8.1.x86_64.rpm	SHA-256: bb659a21cc628d03a7eb925ba4ec579c60281264d386c169e58d75a6dadacc4b
ia64
cpio-2.5-16.el4_8.1.ia64.rpm	SHA-256: 34c20a7b498e7833e6f9c761f4a2331960f680f85ba0c47d8f5c84b1e14ad423
cpio-2.5-16.el4_8.1.ia64.rpm	SHA-256: 34c20a7b498e7833e6f9c761f4a2331960f680f85ba0c47d8f5c84b1e14ad423
i386
cpio-2.5-16.el4_8.1.i386.rpm	SHA-256: 73d943b651bcbd5547616e7cf18af52cd67da2632ec8b79f1c4e48b3a2008d0d
cpio-2.5-16.el4_8.1.i386.rpm	SHA-256: 73d943b651bcbd5547616e7cf18af52cd67da2632ec8b79f1c4e48b3a2008d0d

Red Hat Enterprise Linux Server - Extended Update Support 4.8

SRPM
cpio-2.5-16.el4_8.1.src.rpm	SHA-256: a1d3ce140b95b78e386787ab99908ed6de21e3a994a0b1f64fa7b31bb274dd7d
x86_64
cpio-2.5-16.el4_8.1.x86_64.rpm	SHA-256: bb659a21cc628d03a7eb925ba4ec579c60281264d386c169e58d75a6dadacc4b
cpio-2.5-16.el4_8.1.x86_64.rpm	SHA-256: bb659a21cc628d03a7eb925ba4ec579c60281264d386c169e58d75a6dadacc4b
ia64
cpio-2.5-16.el4_8.1.ia64.rpm	SHA-256: 34c20a7b498e7833e6f9c761f4a2331960f680f85ba0c47d8f5c84b1e14ad423
cpio-2.5-16.el4_8.1.ia64.rpm	SHA-256: 34c20a7b498e7833e6f9c761f4a2331960f680f85ba0c47d8f5c84b1e14ad423
i386
cpio-2.5-16.el4_8.1.i386.rpm	SHA-256: 73d943b651bcbd5547616e7cf18af52cd67da2632ec8b79f1c4e48b3a2008d0d
cpio-2.5-16.el4_8.1.i386.rpm	SHA-256: 73d943b651bcbd5547616e7cf18af52cd67da2632ec8b79f1c4e48b3a2008d0d

Red Hat Enterprise Linux Workstation 4

SRPM
cpio-2.5-16.el4_8.1.src.rpm	SHA-256: a1d3ce140b95b78e386787ab99908ed6de21e3a994a0b1f64fa7b31bb274dd7d
x86_64
cpio-2.5-16.el4_8.1.x86_64.rpm	SHA-256: bb659a21cc628d03a7eb925ba4ec579c60281264d386c169e58d75a6dadacc4b
ia64
cpio-2.5-16.el4_8.1.ia64.rpm	SHA-256: 34c20a7b498e7833e6f9c761f4a2331960f680f85ba0c47d8f5c84b1e14ad423
i386
cpio-2.5-16.el4_8.1.i386.rpm	SHA-256: 73d943b651bcbd5547616e7cf18af52cd67da2632ec8b79f1c4e48b3a2008d0d

Red Hat Enterprise Linux Desktop 4

SRPM
cpio-2.5-16.el4_8.1.src.rpm	SHA-256: a1d3ce140b95b78e386787ab99908ed6de21e3a994a0b1f64fa7b31bb274dd7d
x86_64
cpio-2.5-16.el4_8.1.x86_64.rpm	SHA-256: bb659a21cc628d03a7eb925ba4ec579c60281264d386c169e58d75a6dadacc4b
i386
cpio-2.5-16.el4_8.1.i386.rpm	SHA-256: 73d943b651bcbd5547616e7cf18af52cd67da2632ec8b79f1c4e48b3a2008d0d

Red Hat Enterprise Linux for IBM z Systems 4

SRPM
cpio-2.5-16.el4_8.1.src.rpm	SHA-256: a1d3ce140b95b78e386787ab99908ed6de21e3a994a0b1f64fa7b31bb274dd7d
s390x
cpio-2.5-16.el4_8.1.s390x.rpm	SHA-256: 00d231becfdba6a920edc4f48448553336fd05a313442bb5080afb7dc7637077
s390
cpio-2.5-16.el4_8.1.s390.rpm	SHA-256: decbc9170b5a95d97a6c103b0355f64fbd3ffa5daa69192b288a7a915ff7a0b5

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 4.8

SRPM
cpio-2.5-16.el4_8.1.src.rpm	SHA-256: a1d3ce140b95b78e386787ab99908ed6de21e3a994a0b1f64fa7b31bb274dd7d
s390x
cpio-2.5-16.el4_8.1.s390x.rpm	SHA-256: 00d231becfdba6a920edc4f48448553336fd05a313442bb5080afb7dc7637077
s390
cpio-2.5-16.el4_8.1.s390.rpm	SHA-256: decbc9170b5a95d97a6c103b0355f64fbd3ffa5daa69192b288a7a915ff7a0b5

Red Hat Enterprise Linux for Power, big endian 4

SRPM
cpio-2.5-16.el4_8.1.src.rpm	SHA-256: a1d3ce140b95b78e386787ab99908ed6de21e3a994a0b1f64fa7b31bb274dd7d
ppc
cpio-2.5-16.el4_8.1.ppc.rpm	SHA-256: 332acf4a0a0ed9753ceb5ef5bbc2bd0df857ff5eeaacc22073ed453e77c5d2a4

Red Hat Enterprise Linux for Power, big endian - Extended Update Support 4.8

SRPM
cpio-2.5-16.el4_8.1.src.rpm	SHA-256: a1d3ce140b95b78e386787ab99908ed6de21e3a994a0b1f64fa7b31bb274dd7d
ppc
cpio-2.5-16.el4_8.1.ppc.rpm	SHA-256: 332acf4a0a0ed9753ceb5ef5bbc2bd0df857ff5eeaacc22073ed453e77c5d2a4