Launchpad has imported 12 comments from the remote bug at https://bugzilla.redhat.com/show_bug.cgi?id=280961.
If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. ------------------------------------------------------------------------ On 2007-09-06T17:01:45+00:00 Tomas wrote: Common Vulnerabilities and Exposures assigned an identifier CVE-2007-4476 to the following vulnerability: Bug in the safer_name_suffix function in GNU tar may lead to a "crashing stack". It can be used to crash tar while extracting archive containing file with long name containing unsafe prefix. Affected function is also part of cpio source code. References: http://www.novell.com/linux/security/advisories/2007_18_sr.html http://lists.gnu.org/archive/html/bug-cpio/2007-08/msg00002.html Reply at: https://bugs.launchpad.net/ubuntu/+source/cpio/+bug/161173/comments/0 ------------------------------------------------------------------------ On 2007-09-06T17:05:50+00:00 Tomas wrote: Upstream patch for paxutils / paxlib (used by recent versions of tar and cpio): http://cvs.savannah.gnu.org/viewvc/paxutils/paxutils/paxlib/names.c?r1=1.2&r2=1.4 Reply at: https://bugs.launchpad.net/ubuntu/+source/cpio/+bug/161173/comments/1 ------------------------------------------------------------------------ On 2007-10-24T15:35:04+00:00 Radek wrote: Created attachment 236281 patch for cpio-2.6 this patch should work for all affected software as the rest of patch from comment #1 are just optimizations for memory usage (one malloc less) Reply at: https://bugs.launchpad.net/ubuntu/+source/cpio/+bug/161173/comments/2 ------------------------------------------------------------------------ On 2007-10-24T15:40:00+00:00 Radek wrote: Fedora builds of fixed tar are now complete (with the patch from upstream): tar-1.15.1-27.fc6 tar-1.15.1-28.fc7 tar-1.17-4.fc8 tar-1.17-4.fc9 Reply at: https://bugs.launchpad.net/ubuntu/+source/cpio/+bug/161173/comments/3 ------------------------------------------------------------------------ On 2007-10-29T19:02:36+00:00 Fedora wrote: tar-1.15.1-28.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report. Reply at: https://bugs.launchpad.net/ubuntu/+source/cpio/+bug/161173/comments/4 ------------------------------------------------------------------------ On 2007-11-01T18:43:20+00:00 Radek wrote: Created attachment 245931 new patch for cpio-2.6 (this one frees malloc'd memory) Reply at: https://bugs.launchpad.net/ubuntu/+source/cpio/+bug/161173/comments/5 ------------------------------------------------------------------------ On 2007-11-02T13:44:11+00:00 Radek wrote: fixed Fedora builds of cpio: cpio-2.6-22.fc6 cpio-2.6-28.fc7 cpio-2.9-5.fc8 cpio-2.9-5.fc9 Reply at: https://bugs.launchpad.net/ubuntu/+source/cpio/+bug/161173/comments/6 ------------------------------------------------------------------------ On 2007-11-05T15:06:18+00:00 Fedora wrote: cpio-2.6-28.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report. Reply at: https://bugs.launchpad.net/ubuntu/+source/cpio/+bug/161173/comments/7 ------------------------------------------------------------------------ On 2007-11-06T16:05:52+00:00 Fedora wrote: tar-1.17-4.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report. Reply at: https://bugs.launchpad.net/ubuntu/+source/cpio/+bug/161173/comments/8 ------------------------------------------------------------------------ On 2007-11-06T16:08:27+00:00 Fedora wrote: cpio-2.9-5.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report. Reply at: https://bugs.launchpad.net/ubuntu/+source/cpio/+bug/161173/comments/9 ------------------------------------------------------------------------ On 2010-03-15T23:55:40+00:00 errata-xmlrpc wrote: This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2010:0141 https://rhn.redhat.com/errata/RHSA-2010-0141.html Reply at: https://bugs.launchpad.net/ubuntu/+source/cpio/+bug/161173/comments/31 ------------------------------------------------------------------------ On 2010-03-16T01:15:30+00:00 errata-xmlrpc wrote: This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2010:0144 https://rhn.redhat.com/errata/RHSA-2010-0144.html Reply at: https://bugs.launchpad.net/ubuntu/+source/cpio/+bug/161173/comments/32 ** Changed in: fedora Status: Confirmed => Fix Released ** Changed in: fedora Importance: Unknown => Low -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cpio in Ubuntu. https://bugs.launchpad.net/bugs/161173 Title: [CVE-2007-4476] cpio is affected by this CVE as tar. Status in cpio package in Ubuntu: Fix Released Status in cpio source package in Dapper: Fix Released Status in cpio source package in Edgy: Invalid Status in cpio source package in Feisty: Fix Released Status in cpio source package in Gutsy: Fix Released Status in Fedora: Fix Released Bug description: Binary package hint: cpio Dear Colleagues, cpio has the same security issue like tar, as explained in CVE-2007-4476. Buffer overflow in the safer_name_suffix function in GNU tar has unspecified attack vectors and impact, resulting in a "crashing stack." I'll provide some security updates for dapper, edgy, feisty, gutsy as well a merge for the latest hardy upload. Regards, \sh To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cpio/+bug/161173/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
