cpio-2.12-10.el8
エラータID: AXSA:2021-1794:01
The cpio packages provide the GNU cpio utility for creating and extracting archives, or copying files from one place to another.
Security Fix(es):
* cpio: improper input validation when writing tar header fields leads to unexpected tar generation (CVE-2019-14866)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Asianux Server 8.4 Release Notes linked from the References section.
CVE-2019-14866
In all versions of cpio before 2.13 does not properly validate input files when generating TAR archives. When cpio is used to create TAR archives from paths an attacker can write to, the resulting archive may contain files with permissions the attacker did not have or in paths he did not have access to. Extracting those archives from a high-privilege user without carefully reviewing them may lead to the compromise of the system.
Update packages.
In all versions of cpio before 2.13 does not properly validate input files when generating TAR archives. When cpio is used to create TAR archives from paths an attacker can write to, the resulting archive may contain files with permissions the attacker did not have or in paths he did not have access to. Extracting those archives from a high-privilege user without carefully reviewing them may lead to the compromise of the system.
N/A
SRPMS
- cpio-2.12-10.el8.src.rpm
MD5: ac99e293deee4f44d3e6849bc9891621
SHA-256: 0aa00fa1b687891bc197dd0203b0bfd98963d5c2c8e0e5fb9f89367b47082e90
Size: 1.24 MB
Asianux Server 8 for x86_64
- cpio-2.12-10.el8.x86_64.rpm
MD5: 232e49fb296733a9903588246cae2691
SHA-256: 8396761a66e933e674d4ff42a02b606a65209776f180cbc6aef132e3a91543f7
Size: 263.89 kB
日本語