[security-announce] cpio 2.11: Security update

Sona Sarmadi sona.sarmadi at enea.com
Thu Aug 13 13:31:05 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


		Enea Linux Security Advisory	

=========================================================
Product/package: cpio 2.11
Severity: Low
CVE Name: CVE-2015-1197
=========================================================
This security patch fixes a directory traversal vulnerability
via symlinks in cpio 2.11.

Signed patch and README files
================================
0097-cpio-fix-CVE-2015-1197.patch
0097-cpio-fix-CVE-2015-1197.patch.sig
0097-cpio-fix-CVE-2015-1197.READMAE.asc

Description
===========
cpio 2.11, when using the --no-absolute-filenames option,
allows local users to write to arbitrary files via a symlink
attack on a file in an archive.

Reference
==========
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1197

How to apply the patches
=======================
Make sure that you have an installation of Enea Linux and
have applied the existing patches in the right order.

wget https://linux.enea.com/4.0/Enea-Linux-4.0.tar.gz
tar zxf Enea-Linux-4.0.tar.gz
cd Enea-Linux-4.0/poky/
<Fetch and apply the existing patches >

 - Fetch, verify and apply the new patch
wget https://linux.enea.com/4.0/patches/\
0097-cpio-fix-CVE-2015-1197.patch
wget https://linux.enea.com/4.0/patches/\
0097-cpio-fix-CVE-2015-1197.patch.sig
gpg --verify 0097-cpio-fix-CVE-2015-1197.patch.sig
patch -p1 < ./0097-cpio-fix-CVE-2015-1197.patch

If you have any questions regarding the security patches and security
updates please contact security at enea.com.

Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVzH/4AAoJEHc+9u9ocWoUzb4P/iFH7hO5DrdMpSXYIbD+XmwD
BUex0jI5u8lB1Jge5MyoRrnxn1oIjxt/Wa1beNTKDxWQnnh86rWarCFxHvVzbSvC
9JkowNiqYwHbiF3ms6tBp4AW3KbAMgUIDMwtMN3fo6Pt1zAPH2+3aF6mgA9uDHLt
J2iPyDloV0M7itDVI/ta5qo/8H65F/tGlNq3LzGz6xP8v4M5mSY4rSvVhf33lYsO
ToKE/2JKW4gesjUMFBi+yEfT+rUljSIRdis0O6BQXxgpjqF5bXJ1bAZO8XWnt8Mn
yDPjlRwOOqF449tGWGCZ/BCKYtfLBbiyhi5xajtXEqMxPWgwKKUWjFE4UBsgK8y5
oEHEyvfqpNsi2+XJmL54I/8bNd1s9iInL06jB6GxIkqvXLZn1YUgeNwVg29CJBab
hy1dCjWq5B7mYy8YxYbWOTdRDYHFMHRshDPWQWfgZSHrx9TAtlwxQ/aZ+cBFJdMY
p6T5befSu4LegOh9WcEf1oHK8QXfPpJAWpS18PwVqm/BvTV0P6IOym8z7PF0oftW
EFUxZZRKXNh3ZQzqjpcwzEKilQsY1t4ZpbGaN+BipLRujPjLDl7uYZbNo+7+Kxl2
iN8uTUnzHElesx2mSVViTfVf3N61wbeV9Zbhx3zpVAVZ6K7aAIt3YgbiZAV1tYoj
YJU4I0Z7thHanOt4sZRc
=LprF
-----END PGP SIGNATURE-----



More information about the security-announce mailing list