[arch-security] [ASA-201501-5] cpio: heap buffer overflow
anthraxx at archlinux.org
Wed Jan 14 16:26:49 UTC 2015
Arch Linux Security Advisory ASA-201501-5
Date : 2015-01-14
CVE-ID : CVE-2014-9112
Package : cpio
Type : heap buffer overflow
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE
The package cpio before version 2.11-5 is vulnerable to a heap buffer
Upgrade to 2.11-5.
# pacman -Syu "cpio>=2.11-5"
The problem has been fixed upstream but no release is available yet.
A heap-based buffer overflow flaw was reported in cpio's list_file()
function. Attempting to extract a malicious cpio archive could cause
cpio to crash or, potentially, execute arbitrary code.
As noted in the original report, this issue could be trigger via other
utilities, such as when running "less".
An attacker is able to craft a malicious cpio archive which could cause
cpio to crash or, potentially, execute arbitrary code. This issue could
also be trigger via other utilities, such as when running "less".
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the arch-security