About Ubuntu

=========================================================== Ubuntu Security Notice USN-189-1 September 29, 2005 cpio vulnerabilities CAN-2005-1111, CAN-2005-1229 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) The following packages are affected: cpio The problem can be corrected by upgrading the affected package to version 2.5-1.1ubuntu0.2 (for Ubuntu 4.10), or 2.5-1.1ubuntu1.1 (for Ubuntu 5.04). In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Imran Ghory found a race condition in the handling of output files. While a file was unpacked with cpio, a local attacker with write permissions to the target directory could exploit this to change the permissions of arbitrary files of the cpio user. (CAN-2005-1111) Imran Ghory discovered a path traversal vulnerability. Even when the --no-absolute-filenames option was specified, cpio did not filter out ".." path components. By tricking an user into unpacking a malicious cpio archive, this could be exploited to install files in arbitrary paths with the privileges of the user calling cpio. (CAN-2005-1229)