CPIO CHMod File Permission Modification Race Condition Weakness

Bugtraq ID:	13159
Class:	Race Condition Error
CVE:	CVE-2005-1111
Remote:	No
Local:	Yes
Published:	Apr 13 2005 12:00AM
Updated:	Mar 19 2015 09:22AM
Credit:	Discovery of this weakness is credited to Imran Ghory <[email protected]>.
Vulnerable:	Turbolinux Turbolinux Workstation 8.0 Turbolinux Turbolinux Workstation 7.0 Turbolinux Turbolinux Server 8.0 Turbolinux Turbolinux Server 7.0 Turbolinux Turbolinux Desktop 10.0 Turbolinux Turbolinux 10 F... Turbolinux Home Turbolinux Appliance Server Workgroup Edition 1.0 Turbolinux Appliance Server Hosting Edition 1.0 Turbolinux Appliance Server 1.0 Workgroup Edition Turbolinux Appliance Server 1.0 Hosting Edition Trustix Secure Linux 2.2 Trustix Secure Linux 2.1 Trustix Secure Enterprise Linux 2.0 SuSE SUSE Linux Enterprise Server 9 SuSE SUSE Linux Enterprise Server 8 + Linux kernel 2.4.21 + Linux kernel 2.4.19 SGI ProPack 3.0 SP6 SCO Unixware 7.1.4 SCO Unixware 7.1.3 up SCO Unixware 7.1.3 SCO Open Server 6.0 SCO Open Server 5.0.7 S.u.S.E. SuSE Linux Standard Server 8.0 S.u.S.E. SuSE Linux School Server for i386 S.u.S.E. SUSE LINUX Retail Solution 8.0 S.u.S.E. SuSE Linux Openexchange Server 4.0 S.u.S.E. Open-Enterprise-Server 9.0 S.u.S.E. Novell Linux Desktop 9.0 S.u.S.E. Linux Professional 10.0 OSS S.u.S.E. Linux Professional 9.3 x86_64 S.u.S.E. Linux Professional 9.3 S.u.S.E. Linux Professional 9.2 x86_64 S.u.S.E. Linux Professional 9.2 S.u.S.E. Linux Professional 9.1 x86_64 S.u.S.E. Linux Professional 9.1 S.u.S.E. Linux Professional 9.0 x86_64 S.u.S.E. Linux Professional 9.0 S.u.S.E. Linux Professional 8.2 S.u.S.E. Linux Personal 10.0 OSS S.u.S.E. Linux Personal 9.3 x86_64 S.u.S.E. Linux Personal 9.3 S.u.S.E. Linux Personal 9.2 x86_64 S.u.S.E. Linux Personal 9.2 S.u.S.E. Linux Personal 9.1 x86_64 S.u.S.E. Linux Personal 9.1 S.u.S.E. Linux Personal 9.0 x86_64 S.u.S.E. Linux Personal 9.0 S.u.S.E. Linux Personal 8.2 S.u.S.E. Linux Desktop 1.0 RedHat Enterprise Linux WS 4 RedHat Enterprise Linux WS 3 RedHat Enterprise Linux WS 2.1 IA64 RedHat Enterprise Linux WS 2.1 RedHat Enterprise Linux ES 4 RedHat Enterprise Linux ES 3 RedHat Enterprise Linux ES 2.1 IA64 RedHat Enterprise Linux ES 2.1 RedHat Desktop 4.0 RedHat Desktop 3.0 RedHat Advanced Workstation for the Itanium Processor 2.1 IA64 RedHat Advanced Workstation for the Itanium Processor 2.1 Red Hat Enterprise Linux AS 4 Red Hat Enterprise Linux AS 3 Red Hat Enterprise Linux AS 2.1 IA64 Red Hat Enterprise Linux AS 2.1 Mandriva Linux Mandrake 10.2 x86_64 Mandriva Linux Mandrake 10.2 Mandriva Linux Mandrake 10.1 x86_64 Mandriva Linux Mandrake 10.1 Mandriva Linux Mandrake 10.0 AMD64 Mandriva Linux Mandrake 10.0 MandrakeSoft Corporate Server 3.0 x86_64 MandrakeSoft Corporate Server 3.0 MandrakeSoft Corporate Server 2.1 x86_64 MandrakeSoft Corporate Server 2.1 GNU cpio 2.6 + Gentoo Linux + Mandriva Linux Mandrake 2006.0 x86_64 + Mandriva Linux Mandrake 2006.0 + Mandriva Linux Mandrake 10.2 x86_64 + Mandriva Linux Mandrake 10.2 GNU cpio 2.5.90 GNU cpio 2.5 + Debian Linux 3.1 + MandrakeSoft Corporate Server 3.0 x86_64 + MandrakeSoft Corporate Server 3.0 + MandrakeSoft Corporate Server 2.1 x86_64 + MandrakeSoft Corporate Server 2.1 + Mandriva Linux Mandrake 10.1 x86_64 + Mandriva Linux Mandrake 10.1 + Mandriva Linux Mandrake 10.0 AMD64 + Mandriva Linux Mandrake 10.0 + Mandriva Linux Mandrake 9.2 amd64 + Mandriva Linux Mandrake 9.2 + Mandriva Linux Mandrake 9.1 ppc + Mandriva Linux Mandrake 9.1 + Ubuntu Ubuntu Linux 5.10 powerpc + Ubuntu Ubuntu Linux 5.10 i386 + Ubuntu Ubuntu Linux 5.10 amd64 + Ubuntu Ubuntu Linux 5.0 4 powerpc + Ubuntu Ubuntu Linux 5.0 4 i386 + Ubuntu Ubuntu Linux 5.0 4 amd64 + Ubuntu Ubuntu Linux 4.1 ppc + Ubuntu Ubuntu Linux 4.1 ia64 + Ubuntu Ubuntu Linux 4.1 ia32 GNU cpio 2.4.2 GNU cpio 1.3 GNU cpio 1.2 GNU cpio 1.1 GNU cpio 1.0 FreeBSD FreeBSD 6.0 -STABLE FreeBSD FreeBSD 6.0 -RELEASE FreeBSD FreeBSD 5.4 -RELENG FreeBSD FreeBSD 5.4 -RELEASE FreeBSD FreeBSD 5.4 -PRERELEASE FreeBSD FreeBSD 5.3 -STABLE FreeBSD FreeBSD 5.3 -RELENG FreeBSD FreeBSD 5.3 -RELEASE FreeBSD FreeBSD 5.3 FreeBSD FreeBSD 5.2.1 -RELEASE FreeBSD FreeBSD 5.2 -RELENG FreeBSD FreeBSD 5.2 -RELEASE FreeBSD FreeBSD 5.2 FreeBSD FreeBSD 5.1 -RELENG FreeBSD FreeBSD 5.1 -RELEASE/Alpha FreeBSD FreeBSD 5.1 -RELEASE-p5 FreeBSD FreeBSD 5.1 -RELEASE FreeBSD FreeBSD 5.1 FreeBSD FreeBSD 5.0 -RELENG FreeBSD FreeBSD 5.0 -RELEASE-p14 FreeBSD FreeBSD 5.0 alpha FreeBSD FreeBSD 5.0 FreeBSD FreeBSD 4.11 -STABLE FreeBSD FreeBSD 4.11 -RELENG FreeBSD FreeBSD 4.11 -RELEASE-p3 FreeBSD FreeBSD 4.10 -RELENG FreeBSD FreeBSD 4.10 -RELEASE-p8 FreeBSD FreeBSD 4.10 -RELEASE FreeBSD FreeBSD 4.10 FreeBSD FreeBSD 4.9 -RELENG FreeBSD FreeBSD 4.9 -PRERELEASE FreeBSD FreeBSD 4.9 FreeBSD FreeBSD 4.8 -RELENG FreeBSD FreeBSD 4.8 -RELEASE-p7 FreeBSD FreeBSD 4.8 -PRERELEASE FreeBSD FreeBSD 4.8 FreeBSD FreeBSD 4.7 -STABLE FreeBSD FreeBSD 4.7 -RELENG FreeBSD FreeBSD 4.7 -RELEASE-p17 FreeBSD FreeBSD 4.7 -RELEASE FreeBSD FreeBSD 4.7 FreeBSD FreeBSD 4.6.2 FreeBSD FreeBSD 4.6 -STABLE FreeBSD FreeBSD 4.6 -RELENG FreeBSD FreeBSD 4.6 -RELEASE-p20 FreeBSD FreeBSD 4.6 -RELEASE FreeBSD FreeBSD 4.6 FreeBSD FreeBSD 4.5 -STABLEpre2002-03-07 FreeBSD FreeBSD 4.5 -STABLE FreeBSD FreeBSD 4.5 -RELENG FreeBSD FreeBSD 4.5 -RELEASE-p32 FreeBSD FreeBSD 4.5 -RELEASE FreeBSD FreeBSD 4.5 FreeBSD FreeBSD 4.4 -STABLE FreeBSD FreeBSD 4.4 -RELENG FreeBSD FreeBSD 4.4 -RELEASE-p42 FreeBSD FreeBSD 4.4 FreeBSD FreeBSD 4.3 -STABLE FreeBSD FreeBSD 4.3 -RELENG FreeBSD FreeBSD 4.3 -RELEASE-p38 FreeBSD FreeBSD 4.3 -RELEASE FreeBSD FreeBSD 4.3 FreeBSD FreeBSD 4.2 -STABLEpre122300 FreeBSD FreeBSD 4.2 -STABLEpre050201 FreeBSD FreeBSD 4.2 -STABLE FreeBSD FreeBSD 4.2 -RELEASE FreeBSD FreeBSD 4.2 FreeBSD FreeBSD 4.1.1 -STABLE FreeBSD FreeBSD 4.1.1 -RELEASE FreeBSD FreeBSD 4.1.1 FreeBSD FreeBSD 4.1 FreeBSD FreeBSD 4.0 .x FreeBSD FreeBSD 4.0 -RELENG FreeBSD FreeBSD 4.0 alpha FreeBSD FreeBSD 4.0 FreeBSD FreeBSD 3.x FreeBSD FreeBSD 2.x FreeBSD FreeBSD -current Conectiva Linux 10.0 Avaya Intuity Audix R5 0
Not Vulnerable:

CPIO CHMod File Permission Modification Race Condition Weakness

The cpio utility is prone to a security weakness. The issue occurs only when an archive is extracted into a world- or group-writeable directory. Reportedly, cpio employs non-atomic procedures to write a file and later change the permissions on the newly extracted file.

A local attacker may leverage this issue to modify file permissions of target files.

This weakness affects cpio version 2.6 and previous versions.

CPIO CHMod File Permission Modification Race Condition Weakness

No exploit is required.

CPIO CHMod File Permission Modification Race Condition Weakness

Solution:


Please see the references for vendor advisories and fixes.

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected]


GNU cpio 1.1

• Ubuntu cpio_2.5-1.1ubuntu0.2_amd64.deb
  Ubuntu 4.10 (Warty Warthog)
  http://security.ubuntu.com/ubuntu/pool/main/c/cpio/cpio_2.5-1.1ubuntu0 .2_amd64.deb


• Ubuntu cpio_2.5-1.1ubuntu0.2_i386.deb
  Ubuntu 4.10 (Warty Warthog)
  http://security.ubuntu.com/ubuntu/pool/main/c/cpio/cpio_2.5-1.1ubuntu0 .2_i386.deb


• Ubuntu cpio_2.5-1.1ubuntu0.2_powerpc.deb
  Ubuntu 4.10 (Warty Warthog)
  http://security.ubuntu.com/ubuntu/pool/main/c/cpio/cpio_2.5-1.1ubuntu0 .2_powerpc.deb


• Ubuntu cpio_2.5-1.1ubuntu1.1_amd64.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/main/c/cpio/cpio_2.5-1.1ubuntu1 .1_amd64.deb


• Ubuntu cpio_2.5-1.1ubuntu1.1_i386.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/main/c/cpio/cpio_2.5-1.1ubuntu1 .1_i386.deb


• Ubuntu cpio_2.5-1.1ubuntu1.1_powerpc.deb
  Ubuntu 5.04 (Hoary Hedgehog)
  http://security.ubuntu.com/ubuntu/pool/main/c/cpio/cpio_2.5-1.1ubuntu1 .1_powerpc.deb

GNU cpio 2.5

• Conectiva cpio-2.5-61325U10_1cl.i386.rpm
  Conectiva 10
  ftp://atualizacoes.conectiva.com.br/10/RPMS/cpio-2.5-61325U10_1cl.i386 .rpm


• Mandriva cpio-2.5-4.2.100mdk.amd64.rpm
  Mandriva Linux 10.0/AMD64
  http://www1.mandrivalinux.com/en/ftp.php3


• Mandriva cpio-2.5-4.2.100mdk.i586.rpm
  Mandriva Linux 10.0
  http://www1.mandrivalinux.com/en/ftp.php3


• Mandriva cpio-2.5-4.2.C21mdk.i586.rpm
  Mandriva Corporate Server 2.1
  http://www1.mandrivalinux.com/en/ftp.php3


• Mandriva cpio-2.5-4.2.C21mdk.x86_64.rpm
  Mandriva Corporate Server 2.1/x86_64
  http://www1.mandrivalinux.com/en/ftp.php3


• Mandriva cpio-2.5-4.2.C30mdk.i586.rpm
  Mandriva Corporate Server 3.0
  http://www1.mandrivalinux.com/en/ftp.php3


• Mandriva cpio-2.5-4.2.C30mdk.x86_64.rpm
  Mandriva Corporate Server 3.0/x86_64
  http://www1.mandrivalinux.com/en/ftp.php3


• Mandriva cpio-2.5-4.3.101mdk.i586.rpm
  Mandriva Linux 10.1
  http://www1.mandrivalinux.com/en/ftp.php3


• Mandriva cpio-2.5-4.3.101mdk.x86_64.rpm
  Mandriva Linux 10.1/x86_64
  http://www1.mandrivalinux.com/en/ftp.php3


• Mandriva cpio-2.6-3.1.102mdk.i586.rpm
  Mandriva Linux 10.2
  http://www1.mandrivalinux.com/en/ftp.php3


• Mandriva cpio-2.6-3.1.102mdk.x86_64.rpm
  Mandriva Linux 10.2/x86_64
  http://www1.mandrivalinux.com/en/ftp.php3


• Turbolinux cpio-2.5-5.i586.rpm
  Turbolinux 10 Server
  ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/up dates/RPMS/cpio-2.5-5.i586.rpm


• Turbolinux cpio-2.5-5.src.rpm
  Turbolinux 10 Server
  ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/up dates/SRPMS/cpio-2.5-5.src.rpm


• Turbolinux cpio-debug-2.5-5.i586.rpm
  Turbolinux 10 Server
  ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/up dates/RPMS/cpio-debug-2.5-5.i586.rpm

SGI ProPack 3.0 SP6

• SGI Patch 10197
  ftp://oss.sgi.com/projects/sgi_propack/download/3/updates/RPMS

FreeBSD FreeBSD 4.11 -STABLE

• FreeBSD cpio.patch
  ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:03/cpio.patch

FreeBSD FreeBSD 5.3

• FreeBSD cpio.patch
  ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:03/cpio.patch

FreeBSD FreeBSD 5.3 -STABLE

• FreeBSD cpio.patch
  ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:03/cpio.patch

FreeBSD FreeBSD 5.4 -RELENG

• FreeBSD cpio.patch
  ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:03/cpio.patch

FreeBSD FreeBSD 6.0 -STABLE

• FreeBSD cpio.patch
  ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:03/cpio.patch

SCO Open Server 6.0

• SCO p532911.600_vol.tar
  ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2006.2/p532911.600_vol. tar

FreeBSD FreeBSD 6.0 -RELEASE

• FreeBSD cpio.patch
  ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:03/cpio.patch

SCO Unixware 7.1.4

• SCO erg712854.uw714.pkg.Z
  ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.32/erg712854.uw714.p kg.Z

CPIO CHMod File Permission Modification Race Condition Weakness

References:

• ASA-2005-191 - cpio race condition - (SCOSA-2005.32) (Avaya)
  
• cpio Home Page (GNU)
  
• RHSA-2005:378-17 - Low: cpio security update (RedHat)
  
• RHSA-2005:806-8 - cpio security update (RedHat)
  
• cpio TOCTOU file-permissions vulnerability (Imran Ghory )