Vulnerabilities > CVE-2005-1229 - Directory Traversal vulnerability in CPIO Filename
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Directory traversal vulnerability in cpio 2.6 and earlier allows remote attackers to write to arbitrary directories via a .. (dot dot) in a cpio file.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 9 |
Nessus
NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2007-233.NASL description Buffer overflow in the safer_name_suffix function in GNU cpio has unspecified attack vectors and impact, resulting in a crashing stack. This problem is originally found in tar, but affects cpio too, due to similar code fragments. (CVE-2007-4476) Directory traversal vulnerability in cpio 2.6 and earlier allows remote attackers to write to arbitrary directories via a .. (dot dot) in a cpio file. This is an old issue, affecting only Mandriva Corporate Server 4 and Mandriva Linux 2007. (CVE-2005-1229) Updated package fixes these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 28352 published 2007-11-29 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/28352 title Mandrake Linux Security Advisory : cpio (MDKSA-2007:233) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-846.NASL description Two vulnerabilities have been discovered in cpio, a program to manage archives of files. The Common Vulnerabilities and Exposures project identifies the following problems : - CAN-2005-1111 Imran Ghory discovered a race condition in setting the file permissions of files extracted from cpio archives. A local attacker with write access to the target directory could exploit this to alter the permissions of arbitrary files the extracting user has write permissions for. - CAN-2005-1229 Imran Ghory discovered that cpio does not sanitise the path of extracted files even if the --no-absolute-filenames option was specified. This can be exploited to install files in arbitrary locations where the extracting user has write permissions to. last seen 2020-06-01 modified 2020-06-02 plugin id 19954 published 2005-10-11 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/19954 title Debian DSA-846-1 : cpio - several vulnerabilities NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-189-1.NASL description Imran Ghory found a race condition in the handling of output files. While a file was unpacked with cpio, a local attacker with write permissions to the target directory could exploit this to change the permissions of arbitrary files of the cpio user. (CAN-2005-1111) Imran Ghory discovered a path traversal vulnerability. Even when the --no-absolute-filenames option was specified, cpio did not filter out last seen 2020-06-01 modified 2020-06-02 plugin id 20601 published 2006-01-15 reporter Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20601 title Ubuntu 4.10 / 5.04 : cpio vulnerabilities (USN-189-1) NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2005-116.NASL description A race condition has been found in cpio 2.6 and earlier which allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by cpio after the decompression is complete (CVE-2005-1111). A vulnerability has been discovered in cpio that allows a malicious cpio file to extract to an arbitrary directory of the attackers choice. cpio will extract to the path specified in the cpio file, this path can be absolute (CVE-2005-1229). Update : The previous packages had a problem upgrading due to an unresolved issue with tar and rmt. These packages correct the problem. last seen 2020-06-01 modified 2020-06-02 plugin id 18678 published 2005-07-12 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/18678 title Mandrake Linux Security Advisory : cpio (MDKSA-2005:116-1)
Statements
| contributor | Mark J Cox |
| lastmodified | 2006-08-30 |
| organization | Red Hat |
| statement | This is defined and documented behaviour: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=156313 |
References
- ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:03.cpio.asc
- ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2006.2/SCOSA-2006.2.txt
- ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.32/SCOSA-2005.32.txt
- http://lists.suse.com/archive/suse-security-announce/2006-May/0004.html
- http://marc.info/?l=bugtraq&m=111403177526312&w=2
- http://secunia.com/advisories/16998
- http://secunia.com/advisories/17123
- http://secunia.com/advisories/18290
- http://secunia.com/advisories/18395
- http://secunia.com/advisories/20117
- http://secunia.com/advisories/27857
- http://www.debian.org/security/2005/dsa-846
- http://www.mandriva.com/security/advisories?name=MDKSA-2007:233
- http://www.osvdb.org/17939
- http://www.securityfocus.com/bid/13291
- http://www.ubuntu.com/usn/usn-189-1
- https://exchange.xforce.ibmcloud.com/vulnerabilities/20204