rhsa-2005_806
Vulnerability from csaf_redhat
Published
2005-11-10 19:01
Modified
2024-11-21 23:41
Summary
Red Hat Security Advisory: cpio security update
Notes
Topic
An updated cpio package that fixes multiple issues is now available.
This update has been rated as having low security impact by the Red Hat
Security Response Team.
Details
GNU cpio copies files into or out of a cpio or tar archive.
A race condition bug was found in cpio. It is possible for a local
malicious user to modify the permissions of a local file if they have write
access to a directory in which a cpio archive is being extracted. The
Common Vulnerabilities and Exposures project has assigned the name
CVE-2005-1111 to this issue.
It was discovered that cpio uses a 0 umask when creating files using the -O
(archive) option. This creates output files with mode 0666 (all users can
read and write) regardless of the user's umask setting. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CVE-1999-1572 to this issue.
All users of cpio are advised to upgrade to this updated package, which
contains backported fixes for these issues.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Low"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An updated cpio package that fixes multiple issues is now available.\n\nThis update has been rated as having low security impact by the Red Hat\nSecurity Response Team.",
"title": "Topic"
},
{
"category": "general",
"text": "GNU cpio copies files into or out of a cpio or tar archive. \n\nA race condition bug was found in cpio. It is possible for a local\nmalicious user to modify the permissions of a local file if they have write\naccess to a directory in which a cpio archive is being extracted. The\nCommon Vulnerabilities and Exposures project has assigned the name\nCVE-2005-1111 to this issue.\n\nIt was discovered that cpio uses a 0 umask when creating files using the -O\n(archive) option. This creates output files with mode 0666 (all users can\nread and write) regardless of the user\u0027s umask setting. The Common\nVulnerabilities and Exposures project (cve.mitre.org) has assigned the name\nCVE-1999-1572 to this issue.\n\nAll users of cpio are advised to upgrade to this updated package, which\ncontains backported fixes for these issues.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2005:806",
"url": "https://access.redhat.com/errata/RHSA-2005:806"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#low",
"url": "https://access.redhat.com/security/updates/classification/#low"
},
{
"category": "external",
"summary": "169760",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=169760"
},
{
"category": "external",
"summary": "172191",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=172191"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2005/rhsa-2005_806.json"
}
],
"title": "Red Hat Security Advisory: cpio security update",
"tracking": {
"current_release_date": "2024-11-21T23:41:19+00:00",
"generator": {
"date": "2024-11-21T23:41:19+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2005:806",
"initial_release_date": "2005-11-10T19:01:00+00:00",
"revision_history": [
{
"date": "2005-11-10T19:01:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2005-11-10T00:00:00+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-21T23:41:19+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
"product": {
"name": "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
"product_id": "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:2.1::as"
}
}
},
{
"category": "product_name",
"name": "Red Hat Linux Advanced Workstation 2.1",
"product": {
"name": "Red Hat Linux Advanced Workstation 2.1",
"product_id": "Red Hat Linux Advanced Workstation 2.1",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:2.1::aw"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux ES version 2.1",
"product": {
"name": "Red Hat Enterprise Linux ES version 2.1",
"product_id": "Red Hat Enterprise Linux ES version 2.1",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:2.1::es"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux WS version 2.1",
"product": {
"name": "Red Hat Enterprise Linux WS version 2.1",
"product_id": "Red Hat Enterprise Linux WS version 2.1",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:2.1::ws"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Mike O\u0027Connor"
]
}
],
"cve": "CVE-1999-1572",
"discovery_date": "2005-11-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616458"
}
],
"notes": [
{
"category": "description",
"text": "cpio on FreeBSD 2.1.0, Debian GNU/Linux 3.0, and possibly other operating systems, uses a 0 umask when creating files using the -O (archive) or -F options, which creates the files with mode 0666 and allows local users to read or overwrite those files.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.",
"title": "Statement"
}
],
"product_status": {
"fixed": [
"Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
"Red Hat Enterprise Linux ES version 2.1",
"Red Hat Enterprise Linux WS version 2.1",
"Red Hat Linux Advanced Workstation 2.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-1999-1572"
},
{
"category": "external",
"summary": "RHBZ#1616458",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616458"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-1999-1572",
"url": "https://www.cve.org/CVERecord?id=CVE-1999-1572"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-1999-1572",
"url": "https://nvd.nist.gov/vuln/detail/CVE-1999-1572"
}
],
"release_date": "1996-07-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2005-11-10T19:01:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via Red Hat Network. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
"product_ids": [
"Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
"Red Hat Enterprise Linux ES version 2.1",
"Red Hat Enterprise Linux WS version 2.1",
"Red Hat Linux Advanced Workstation 2.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2005:806"
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "security flaw"
},
{
"cve": "CVE-2005-1111",
"discovery_date": "2005-04-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1617604"
}
],
"notes": [
{
"category": "description",
"text": "Race condition in cpio 2.6 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by cpio after the decompression is complete.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.",
"title": "Statement"
}
],
"product_status": {
"fixed": [
"Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
"Red Hat Enterprise Linux ES version 2.1",
"Red Hat Enterprise Linux WS version 2.1",
"Red Hat Linux Advanced Workstation 2.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2005-1111"
},
{
"category": "external",
"summary": "RHBZ#1617604",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1617604"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2005-1111",
"url": "https://www.cve.org/CVERecord?id=CVE-2005-1111"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2005-1111",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2005-1111"
}
],
"release_date": "2005-04-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2005-11-10T19:01:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via Red Hat Network. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
"product_ids": [
"Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
"Red Hat Enterprise Linux ES version 2.1",
"Red Hat Enterprise Linux WS version 2.1",
"Red Hat Linux Advanced Workstation 2.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2005:806"
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "security flaw"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.