[security-announce] cpio: Security update

Sona Sarmadi sona.sarmadi at enea.com
Tue Mar 10 12:32:59 CET 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

		Enea Linux Security Advisory

=========================================================
Product/package: cpio-2.8
Severity: Moderate
CVE Name: CVE-2014-9112
=========================================================
A security patch that fixes a heap-based buffer overflow flaw in
list_file()in cpio is now available at
http://linux.enea.com/5.0-beta-m400/patches:

README file: 0005-cpio-fix-bug-CVE-2014-9112-for-cpio-2.8.README
Patch file: 0005-cpio-fix-bug-CVE-2014-9112-for-cpio-2.8.patch

Description
===========
Heap-based buffer overflow in the process_copy_in function in GNU Cpio
2.11 allows remote attackers to cause a denial of service via a large
block value in a cpio archive.

References
==========
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9112

How to apply the patches
=======================
- - Preparation
Make sure that you have an installation of Enea Linux and have
applied the existing patches in the right order

wget http://linux.enea.com/5.0-beta-m400/Enea-Linux-5.0-beta-m400.tar.gz
tar zxvf Enea-Linux-5.0-beta-m400.tar.gz
<Fetch and apply the existing patches, please refer to
    README file for the individual patch>

 - Fetch and apply the new patch
cd Enea-Linux-5.0-beta-m400/poky
wget
http://linux.enea.com/5.0-beta-m400/patches/0005-cpio-fix-bug-CVE-2014-9112-for-cpio-2.8.patch
patch -p1 < ./0005-cpio-fix-bug-CVE-2014-9112-for-cpio-2.8.patch

If you have any questions regarding the security patches and security
updates please contact security at enea.com.

Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com

This message, including attachments, is CONFIDENTIAL. It may also be
privileged or otherwise protected by law. If you received this email
by mistake please let us know by reply and then delete it from your
system; you should not copy it or disclose its contents to anyone.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBAgAGBQJU/tZrAAoJEHc+9u9ocWoURiMQAKXorORpy6Z2qVJBeNhxSFjj
IB4JwFiSsEOLl1V9DRZHhR6vD1OzE2jKCo+kpacL2en97LmwX9bn8cWWuStEJiNG
ia/I0/zO5AthBYJfIQ7+eqynLbMYdf7el0teJrtS7MqzwLX9jtcscdFRUgoXUMQp
aMLTqXpTdcvw+SQ9J2+XIcGnIFaRVxbu+45GS92M98sImCYNTQgTNZlmLaD99UIL
3R8b5yVDt9ozpa1wKqdUEBdTIlt5dqQqNCwarAWiKhHsNGQajN265ZwXsKFZ1ml4
LbgmFfyDkys4KB+MjcLKbllE+V7hiERu7us4YjFJ8qdS9EEFY5Zl+nHEyoaIgYX1
yuimKlZyOin7BkB7zLrQui/mAh9Om093Ox5tFKMBaL4QpO09BX2Y5ISQ7WGNNOKG
MQwAj7+s6N35AxKbDhT0dooxCxMNsEf127I+i6NRczA37W/OVaDQpBDgpCSGRty+
rgnxtHo/ZL21HCaKS2ya2caA4NPkpMmwhfH0M2vaHFQ+IeC28Vgn4OLWkWYcwlvq
1slF7wDeCOQtD5Y1o3Uh6FLAmq1bgGi3+v3y+fIF99ZdT4G8tzz9MpNWuw3q6XdB
wqzVC25jc4zl2cygVSFbjF3z8wRL3mqifDNx7wDDERhvM9LapSWTSm6n4gFlzMNM
PSTGTJnVu+OY7IzECyHy
=yykt
-----END PGP SIGNATURE-----



More information about the security-announce mailing list