Monday, April 29, 2024

[USN-6755-1] GNU cpio vulnerabilities

-----BEGIN PGP SIGNATURE-----

wsF5BAABCAAjFiEE2WgtvmwmcgaEBLlnCAvK1QvD6SAFAmYvhSwFAwAAAAAACgkQCAvK1QvD6SCZ
/xAAmbLVsQI56rS7WfgB76TPof8gzq3P6QArl6IYcgdx/h6GNJdKGQlJ1+M9i49jXLQLhmlRevci
3QGOxNuhso9Zz0sW16tD/EfvBFkbfwYj1922T9O3sWQ8OVtMwvB5jEjem7mb03h1r9dHai3vI7+A
drm2SLG9Nc5EVOQ6lplliPMLSDop/37Fnjvrk5AQXQSao1vwLBolThI5MP2OeY/iFj5zl28Hlu3Q
0obin6Uf1UjISb3hjt3GuuZviN3ipGUzpSAl8tPGsX1WuI2orZ5rKHaaq4YWbc0sef6bian6046N
q0vtLDb2ITdIxfcUrqWGEkSLTAUZoohNwiYCZCXGWHl31MMMqtEX2KmrOBXh3s9sTLO1IdPg6LLC
psZSfWLwLKOGgaiafM5vboLGlgRTVPzNnaw5XEyH3J9s4jQ46rmAjiYiprf4f7mnIicL7lIke4hv
klnnkgRBHOoP1P/qMWVwBuignxJrtGDg56SBi7Xu701TvE6FDYL/tREAimkwmisBF84HC5CmuYoy
qZiAEU/io6i1bAqT+K1VLkqBDYiAIf1WSiRHgD8jcJteUnm5q2e04kjaP0dvSdwXtaN5Mmh3BjT3
g4P5g3+9R3N04OGFDuR+cm6asfAWs/FPpAhC/OtMpdYw8icEM6v77QodwNvRRIryG1pvHlpNwfEU
zMM=
=/kl6
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6755-1
April 29, 2024

cpio vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

GNU cpio could be made to write files outside the target directory.

Software Description:
- cpio: a tool to manage archives of files

Details:

Ingo Brückl discovered that cpio contained a path traversal vulnerability.
If a user or automated system were tricked into extracting a specially
crafted cpio archive, an attacker could possibly use this issue to write
arbitrary files outside the target directory on the host, even if using the
option --no-absolute-filenames.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 23.10
  cpio                            2.13+dfsg-7.1ubuntu0.1

Ubuntu 22.04 LTS
  cpio                            2.13+dfsg-7ubuntu0.1

Ubuntu 20.04 LTS
  cpio                            2.13+dfsg-2ubuntu0.4

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-6755-1
  CVE-2023-7207

Package Information:
  https://launchpad.net/ubuntu/+source/cpio/2.13+dfsg-7.1ubuntu0.1
  https://launchpad.net/ubuntu/+source/cpio/2.13+dfsg-7ubuntu0.1
  https://launchpad.net/ubuntu/+source/cpio/2.13+dfsg-2ubuntu0.4

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)