Vulnerabilities > CVE-2005-1111 - Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in multiple products

047910
CVSS 4.7 - MEDIUM
Attack vector
LOCAL
Attack complexity
HIGH
Privileges required
LOW
Confidentiality impact
NONE
Integrity impact
HIGH
Availability impact
NONE
local
high complexity
gnu
debian
canonical
CWE-367
nessus

Summary

Race condition in cpio 2.6 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by cpio after the decompression is complete.

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Leveraging Race Conditions via Symbolic Links
    This attack leverages the use of symbolic links (Symlinks) in order to write to sensitive files. An attacker can create a Symlink link to a target file not otherwise accessible to her. When the privileged program tries to create a temporary file with the same name as the Symlink link, it will actually write to the target file pointed to by the attackers' Symlink link. If the attacker can insert malicious content in the temporary file she will be writing to the sensitive file by using the Symlink. The race occurs because the system checks if the temporary file exists, then creates the file. The attacker would typically create the Symlink during the interval between the check and the creation of the temporary file.
  • Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
    This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.

Nessus

  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2005-378.NASL
    descriptionAn updated cpio package that fixes multiple issues is now available. This update has been rated as having low security impact by the Red Hat Security Response Team. GNU cpio copies files into or out of a cpio or tar archive. A race condition bug was found in cpio. It is possible for a local malicious user to modify the permissions of a local file if they have write access to a directory in which a cpio archive is being extracted. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1111 to this issue. Additionally, this update adds cpio support for archives larger than 2GB. However, the size of individual files within an archive is limited to 4GB. All users of cpio are advised to upgrade to this updated package, which contains backported fixes for these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id19283
    published2005-07-22
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/19283
    titleRHEL 3 / 4 : cpio (RHSA-2005:378)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2005:378. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(19283);
      script_version ("1.24");
      script_cvs_date("Date: 2019/10/25 13:36:11");
    
      script_cve_id("CVE-2005-1111");
      script_bugtraq_id(13159);
      script_xref(name:"RHSA", value:"2005:378");
    
      script_name(english:"RHEL 3 / 4 : cpio (RHSA-2005:378)");
      script_summary(english:"Checks the rpm output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An updated cpio package that fixes multiple issues is now available.
    
    This update has been rated as having low security impact by the Red
    Hat Security Response Team.
    
    GNU cpio copies files into or out of a cpio or tar archive.
    
    A race condition bug was found in cpio. It is possible for a local
    malicious user to modify the permissions of a local file if they have
    write access to a directory in which a cpio archive is being
    extracted. The Common Vulnerabilities and Exposures project
    (cve.mitre.org) has assigned the name CVE-2005-1111 to this issue.
    
    Additionally, this update adds cpio support for archives larger than
    2GB. However, the size of individual files within an archive is
    limited to 4GB.
    
    All users of cpio are advised to upgrade to this updated package,
    which contains backported fixes for these issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2005-1111"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2005:378"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected cpio package.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:H/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:ND");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:cpio");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:3");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:4");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2005/05/02");
      script_set_attribute(attribute:"patch_publication_date", value:"2005/07/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/22");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(3|4)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 3.x / 4.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2005:378";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_NOTE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL3", reference:"cpio-2.5-4.RHEL3")) flag++;
    
      if (rpm_check(release:"RHEL4", reference:"cpio-2.5-8.RHEL4")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_NOTE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "cpio");
      }
    }
    
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2005-378.NASL
    descriptionAn updated cpio package that fixes multiple issues is now available. This update has been rated as having low security impact by the Red Hat Security Response Team. GNU cpio copies files into or out of a cpio or tar archive. A race condition bug was found in cpio. It is possible for a local malicious user to modify the permissions of a local file if they have write access to a directory in which a cpio archive is being extracted. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1111 to this issue. Additionally, this update adds cpio support for archives larger than 2GB. However, the size of individual files within an archive is limited to 4GB. All users of cpio are advised to upgrade to this updated package, which contains backported fixes for these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id21815
    published2006-07-03
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/21815
    titleCentOS 3 / 4 : cpio (CESA-2005:378)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2005:378 and 
    # CentOS Errata and Security Advisory 2005:378 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(21815);
      script_version("1.19");
      script_cvs_date("Date: 2019/10/25 13:36:02");
    
      script_cve_id("CVE-2005-1111");
      script_bugtraq_id(13159);
      script_xref(name:"RHSA", value:"2005:378");
    
      script_name(english:"CentOS 3 / 4 : cpio (CESA-2005:378)");
      script_summary(english:"Checks rpm output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote CentOS host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An updated cpio package that fixes multiple issues is now available.
    
    This update has been rated as having low security impact by the Red
    Hat Security Response Team.
    
    GNU cpio copies files into or out of a cpio or tar archive.
    
    A race condition bug was found in cpio. It is possible for a local
    malicious user to modify the permissions of a local file if they have
    write access to a directory in which a cpio archive is being
    extracted. The Common Vulnerabilities and Exposures project
    (cve.mitre.org) has assigned the name CVE-2005-1111 to this issue.
    
    Additionally, this update adds cpio support for archives larger than
    2GB. However, the size of individual files within an archive is
    limited to 4GB.
    
    All users of cpio are advised to upgrade to this updated package,
    which contains backported fixes for these issues."
      );
      # https://lists.centos.org/pipermail/centos-announce/2005-July/011938.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?d58a37f6"
      );
      # https://lists.centos.org/pipermail/centos-announce/2005-July/011940.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?0fd3f45c"
      );
      # https://lists.centos.org/pipermail/centos-announce/2005-July/011943.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?da78775d"
      );
      # https://lists.centos.org/pipermail/centos-announce/2005-July/011944.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?bffea584"
      );
      # https://lists.centos.org/pipermail/centos-announce/2005-July/011951.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?981c5aef"
      );
      # https://lists.centos.org/pipermail/centos-announce/2005-July/011952.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?727e62d2"
      );
      # https://lists.centos.org/pipermail/centos-announce/2005-July/011953.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?0608d7ad"
      );
      # https://lists.centos.org/pipermail/centos-announce/2005-July/011954.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?a539f070"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected cpio package.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:H/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:ND");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:cpio");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:3");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:4");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2005/05/02");
      script_set_attribute(attribute:"patch_publication_date", value:"2005/07/23");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/07/03");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"CentOS Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/CentOS/release");
    if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS");
    os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(3|4)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 3.x / 4.x", "CentOS " + os_ver);
    
    if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"CentOS-3", reference:"cpio-2.5-4.RHEL3")) flag++;
    
    if (rpm_check(release:"CentOS-4", reference:"cpio-2.5-8.RHEL4")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_NOTE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "cpio");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-846.NASL
    descriptionTwo vulnerabilities have been discovered in cpio, a program to manage archives of files. The Common Vulnerabilities and Exposures project identifies the following problems : - CAN-2005-1111 Imran Ghory discovered a race condition in setting the file permissions of files extracted from cpio archives. A local attacker with write access to the target directory could exploit this to alter the permissions of arbitrary files the extracting user has write permissions for. - CAN-2005-1229 Imran Ghory discovered that cpio does not sanitise the path of extracted files even if the --no-absolute-filenames option was specified. This can be exploited to install files in arbitrary locations where the extracting user has write permissions to.
    last seen2020-06-01
    modified2020-06-02
    plugin id19954
    published2005-10-11
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/19954
    titleDebian DSA-846-1 : cpio - several vulnerabilities
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-846. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(19954);
      script_version("1.18");
      script_cvs_date("Date: 2019/08/02 13:32:19");
    
      script_cve_id("CVE-2005-1111", "CVE-2005-1229");
      script_xref(name:"DSA", value:"846");
    
      script_name(english:"Debian DSA-846-1 : cpio - several vulnerabilities");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Two vulnerabilities have been discovered in cpio, a program to manage
    archives of files. The Common Vulnerabilities and Exposures project
    identifies the following problems :
    
      - CAN-2005-1111
        Imran Ghory discovered a race condition in setting the
        file permissions of files extracted from cpio archives.
        A local attacker with write access to the target
        directory could exploit this to alter the permissions of
        arbitrary files the extracting user has write
        permissions for.
    
      - CAN-2005-1229
    
        Imran Ghory discovered that cpio does not sanitise the
        path of extracted files even if the
        --no-absolute-filenames option was specified. This can
        be exploited to install files in arbitrary locations
        where the extracting user has write permissions to."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=306693"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=305372"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2005/dsa-846"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the cpio package.
    
    For the old stable distribution (woody) these problems have been fixed
    in version 2.4.2-39woody2.
    
    For the stable distribution (sarge) these problems have been fixed in
    version 2.5-1.3."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:cpio");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2005/10/07");
      script_set_attribute(attribute:"plugin_publication_date", value:"2005/10/11");
      script_set_attribute(attribute:"vuln_publication_date", value:"2005/04/20");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"3.0", prefix:"cpio", reference:"2.4.2-39woody2")) flag++;
    if (deb_check(release:"3.1", prefix:"cpio", reference:"2.5-1.3")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-189-1.NASL
    descriptionImran Ghory found a race condition in the handling of output files. While a file was unpacked with cpio, a local attacker with write permissions to the target directory could exploit this to change the permissions of arbitrary files of the cpio user. (CAN-2005-1111) Imran Ghory discovered a path traversal vulnerability. Even when the --no-absolute-filenames option was specified, cpio did not filter out
    last seen2020-06-01
    modified2020-06-02
    plugin id20601
    published2006-01-15
    reporterUbuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/20601
    titleUbuntu 4.10 / 5.04 : cpio vulnerabilities (USN-189-1)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2005-806.NASL
    descriptionAn updated cpio package that fixes multiple issues is now available. This update has been rated as having low security impact by the Red Hat Security Response Team. GNU cpio copies files into or out of a cpio or tar archive. A race condition bug was found in cpio. It is possible for a local malicious user to modify the permissions of a local file if they have write access to a directory in which a cpio archive is being extracted. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-1111 to this issue. It was discovered that cpio uses a 0 umask when creating files using the -O (archive) option. This creates output files with mode 0666 (all users can read and write) regardless of the user
    last seen2020-06-01
    modified2020-06-02
    plugin id20204
    published2005-11-15
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/20204
    titleRHEL 2.1 : cpio (RHSA-2005:806)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2005-116.NASL
    descriptionA race condition has been found in cpio 2.6 and earlier which allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by cpio after the decompression is complete (CVE-2005-1111). A vulnerability has been discovered in cpio that allows a malicious cpio file to extract to an arbitrary directory of the attackers choice. cpio will extract to the path specified in the cpio file, this path can be absolute (CVE-2005-1229). Update : The previous packages had a problem upgrading due to an unresolved issue with tar and rmt. These packages correct the problem.
    last seen2020-06-01
    modified2020-06-02
    plugin id18678
    published2005-07-12
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/18678
    titleMandrake Linux Security Advisory : cpio (MDKSA-2005:116-1)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200506-16.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200506-16 (cpio: Directory traversal vulnerability) A vulnerability has been found in cpio that can potentially allow a cpio archive to extract its files to an arbitrary directory of the creator
    last seen2020-06-01
    modified2020-06-02
    plugin id18531
    published2005-06-20
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/18531
    titleGLSA-200506-16 : cpio: Directory traversal vulnerability

Oval

  • accepted2005-09-21T01:33:00.000-04:00
    classvulnerability
    contributors
    nameJay Beale
    organizationBastille Linux
    descriptionRace condition in cpio 2.6 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by cpio after the decompression is complete.
    familyunix
    idoval:org.mitre.oval:def:358
    statusaccepted
    submitted2005-08-08T12:00:00.000-04:00
    titlecpio Race Condition
    version4
  • accepted2013-04-29T04:22:09.996-04:00
    classvulnerability
    contributors
    • nameAharon Chernin
      organizationSCAP.com, LLC
    • nameDragos Prisaca
      organizationG2, Inc.
    definition_extensions
    • commentThe operating system installed on the system is Red Hat Enterprise Linux 3
      ovaloval:org.mitre.oval:def:11782
    • commentCentOS Linux 3.x
      ovaloval:org.mitre.oval:def:16651
    • commentThe operating system installed on the system is Red Hat Enterprise Linux 4
      ovaloval:org.mitre.oval:def:11831
    • commentCentOS Linux 4.x
      ovaloval:org.mitre.oval:def:16636
    • commentOracle Linux 4.x
      ovaloval:org.mitre.oval:def:15990
    descriptionRace condition in cpio 2.6 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by cpio after the decompression is complete.
    familyunix
    idoval:org.mitre.oval:def:9783
    statusaccepted
    submitted2010-07-09T03:56:16-04:00
    titleRace condition in cpio 2.6 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by cpio after the decompression is complete.
    version26

Redhat

advisories
  • rhsa
    idRHSA-2005:378
  • rhsa
    idRHSA-2005:806
rpms
  • cpio-0:2.5-4.RHEL3
  • cpio-0:2.5-8.RHEL4
  • cpio-debuginfo-0:2.5-4.RHEL3
  • cpio-debuginfo-0:2.5-8.RHEL4

Statements

contributorMark J Cox
lastmodified2007-03-14
organizationRed Hat
statementRed Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

References