News

=========================================================== Ubuntu Security Notice USN-234-1 January 02, 2006 cpio vulnerability CVE-2005-4268 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) Ubuntu 5.10 (Breezy Badger) The following packages are affected: cpio The problem can be corrected by upgrading the affected package to version 2.5-1.1ubuntu0.3 (for Ubuntu 4.10), 2.5-1.1ubuntu1.2 (for Ubuntu 5.04), or 2.5-1.2ubuntu1.1 (for Ubuntu 5.10). In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Richard Harms discovered that cpio did not sufficiently validate file properties when creating archives. Files with e. g. a very large size caused a buffer overflow. By tricking a user or an automatic backup system into putting a specially crafted file into a cpio archive, a local attacker could probably exploit this to execute arbitrary code with the privileges of the target user (which is likely root in an automatic backup system).