FreeBSD : cpio -- multiple vulnerabilities (72ee9707-d7b2-11e4-8d8e-f8b156b6dcc8)

medium Nessus Plugin ID 82480

Synopsis

The remote FreeBSD host is missing a security-related update.

Description

From the Debian Security Team :

Heap-based buffer overflow in the process_copy_in function in GNU Cpio 2.11 allows remote attackers to cause a denial of service via a large block value in a cpio archive.

cpio 2.11, when using the --no-absolute-filenames option, allows local users to write to arbitrary files via a symlink attack on a file in an archive.

Solution

Update the affected package.

See Also

https://security-tracker.debian.org/tracker/CVE-2014-9112

https://bugzilla.suse.com/show_bug.cgi?id=658010

http://www.nessus.org/u?47dc84a2

Plugin Details

Severity: Medium

ID: 82480

File Name: freebsd_pkg_72ee9707d7b211e48d8ef8b156b6dcc8.nasl

Version: 1.4

Type: local

Published: 4/1/2015

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.0

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:gcpio, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 3/31/2015

Vulnerability Publication Date: 3/27/2015

Reference Information

CVE: CVE-2014-9112, CVE-2015-1197