FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

cpio -- multiple vulnerabilities

Affected systems
6.0 <= FreeBSD < 6.0_2
5.4 <= FreeBSD < 5.4_9
5.3 <= FreeBSD < 5.3_24
4.11 <= FreeBSD < 4.11_14
4.10 <= FreeBSD < 4.10_20

Details

VuXML ID 6b0215ae-8f26-11da-8c1d-000e0c2e438a
Discovery 2006-01-11
Entry 2006-01-27

Problem description:

A number of issues has been discovered in cpio:

When creating a new file, cpio closes the file before setting its permissions. (CVE-2005-1111)

When extracting files cpio does not properly sanitize file names to filter out ".." components, even if the --no-absolute-filenames option is used. (CVE-2005-1229)

When adding large files (larger than 4 GB) to a cpio archive on 64-bit platforms an internal buffer might overflow. (CVE-2005-4268)

Impact

The first problem can allow a local attacker to change the permissions of files owned by the user executing cpio providing that they have write access to the directory in which the file is being extracted. (CVE-2005-1111)

The lack of proper file name sanitation can allow an attacker to overwrite arbitrary local files when extracting files from a cpio archive. (CVE-2005-1229)

The buffer-overflow on 64-bit platforms could lead cpio to a Denial-of-Service situation (crash) or possibly execute arbitrary code with the permissions of the user running cpio. (CVE-2005-4268)

Workaround

Use a different utility to create and extract cpio archives, for example pax(1) or (on FreeBSD 5.3 or later) tar(1). If this is not possible, do not extract untrusted archives and when running on 64-bit platforms do not add untrusted files to cpio archives.

References

CVE Name CVE-2005-1111
CVE Name CVE-2005-1229
CVE Name CVE-2005-4268
FreeBSD Advisory SA-06:03.cpio