Debian Bug report logs -
#344134
CVE-2005-4268: Buffer overflow on 64 bit archs
Reported by: Moritz Muehlenhoff <jmm@inutil.org>
Date: Tue, 20 Dec 2005 10:03:04 UTC
Severity: important
Tags: security
Found in version cpio/2.6-9
Fixed in version cpio/2.6-10
Done: Clint Adams <schizo@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Clint Adams <schizo@debian.org>
:
Bug#344134
; Package cpio
.
(full text, mbox, link).
Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>
:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Clint Adams <schizo@debian.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: cpio
Version: 2.6-9
Severity: important
Tags: security
Justification: user security hole
For very large archives the ASCII representation of the file size
may exceed eight bytes and trigger a buffer overflow. Please see
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=172669 for
details and upstream's patch.
This affects oldstable and stable as well.
This is CVE-2005-4268, please mention it in the changelog when fixing
this.
Cheers,
Moritz
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-1-686
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Versions of packages cpio depends on:
ii libc6 2.3.5-8.1 GNU C Library: Shared libraries an
cpio recommends no packages.
-- no debconf information
Reply sent to Clint Adams <schizo@debian.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Moritz Muehlenhoff <jmm@inutil.org>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #10 received at 344134-close@bugs.debian.org (full text, mbox, reply):
Source: cpio
Source-Version: 2.6-10
We believe that the bug you reported is fixed in the latest version of
cpio, which is due to be installed in the Debian FTP archive:
cpio_2.6-10.diff.gz
to pool/main/c/cpio/cpio_2.6-10.diff.gz
cpio_2.6-10.dsc
to pool/main/c/cpio/cpio_2.6-10.dsc
cpio_2.6-10_sparc.deb
to pool/main/c/cpio/cpio_2.6-10_sparc.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 344134@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Clint Adams <schizo@debian.org> (supplier of updated cpio package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 20 Dec 2005 12:44:50 -0500
Source: cpio
Binary: cpio
Architecture: source sparc
Version: 2.6-10
Distribution: unstable
Urgency: medium
Maintainer: Clint Adams <schizo@debian.org>
Changed-By: Clint Adams <schizo@debian.org>
Description:
cpio - GNU cpio -- a program to manage archives of files
Closes: 344134
Changes:
cpio (2.6-10) unstable; urgency=medium
.
* Fix potential buffer overflow on 64-bit architectures.
[CVE-2005-4268]. closes: #344134.
Files:
e616c3fdf09d92a237eb551236978fff 549 utils important cpio_2.6-10.dsc
227b2539e6eccb661cefe4ee07a71f40 408410 utils important cpio_2.6-10.diff.gz
b72e080d7e395d8cefbaf270b991526d 127170 utils important cpio_2.6-10_sparc.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Debian!
iD8DBQFDqE9d5m0u66uWM3ARAispAKCa2zCe4YiY8gHaw5lHMtu2KggC/ACgjZ+J
6MQ4Wu9c1Rk9OqLq3+2ZIlE=
=u+EF
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 25 Jun 2007 04:28:11 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:37:58 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.