CVE-2005-4268: Buffer overflow on 64 bit archs

Debian Bug report logs - #344134
CVE-2005-4268: Buffer overflow on 64 bit archs

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2005-4268: Buffer overflow on 64 bit archs

Date: Tue, 20 Dec 2005 10:56:13 +0100

Package: cpio
Version: 2.6-9
Severity: important
Tags: security
Justification: user security hole

For very large archives the ASCII representation of the file size
may exceed eight bytes and trigger a buffer overflow. Please see
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=172669 for
details and upstream's patch.

This affects oldstable and stable as well.

This is CVE-2005-4268, please mention it in the changelog when fixing
this.

Cheers,
        Moritz

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-1-686
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)

Versions of packages cpio depends on:
ii  libc6                         2.3.5-8.1  GNU C Library: Shared libraries an

cpio recommends no packages.

-- no debconf information

Message #10 received at 344134-close@bugs.debian.org (full text, mbox, reply):

From: Clint Adams <schizo@debian.org>

To: 344134-close@bugs.debian.org

Subject: Bug#344134: fixed in cpio 2.6-10

Date: Tue, 20 Dec 2005 10:47:09 -0800

Source: cpio
Source-Version: 2.6-10

We believe that the bug you reported is fixed in the latest version of
cpio, which is due to be installed in the Debian FTP archive:

cpio_2.6-10.diff.gz
  to pool/main/c/cpio/cpio_2.6-10.diff.gz
cpio_2.6-10.dsc
  to pool/main/c/cpio/cpio_2.6-10.dsc
cpio_2.6-10_sparc.deb
  to pool/main/c/cpio/cpio_2.6-10_sparc.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 344134@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Clint Adams <schizo@debian.org> (supplier of updated cpio package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 20 Dec 2005 12:44:50 -0500
Source: cpio
Binary: cpio
Architecture: source sparc
Version: 2.6-10
Distribution: unstable
Urgency: medium
Maintainer: Clint Adams <schizo@debian.org>
Changed-By: Clint Adams <schizo@debian.org>
Description: 
 cpio       - GNU cpio -- a program to manage archives of files
Closes: 344134
Changes: 
 cpio (2.6-10) unstable; urgency=medium
 .
   * Fix potential buffer overflow on 64-bit architectures.
     [CVE-2005-4268].  closes: #344134.
Files: 
 e616c3fdf09d92a237eb551236978fff 549 utils important cpio_2.6-10.dsc
 227b2539e6eccb661cefe4ee07a71f40 408410 utils important cpio_2.6-10.diff.gz
 b72e080d7e395d8cefbaf270b991526d 127170 utils important cpio_2.6-10_sparc.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Debian!

iD8DBQFDqE9d5m0u66uWM3ARAispAKCa2zCe4YiY8gHaw5lHMtu2KggC/ACgjZ+J
6MQ4Wu9c1Rk9OqLq3+2ZIlE=
=u+EF
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.