Описание
Security update for cpio
This update for cpio fixes the following issues:
- CVE-2019-14866: Fixed an improper validation of the values written in the header of a TAR file through the to_oct() function which could have led to unexpected TAR generation (bsc#1155199).
Список пакетов
Container caasp/v4/nginx-ingress-controller:beta1
cpio-2.11-36.6.1
Container suse/ltss/sle12.5/sles12sp5:latest
cpio-2.11-36.6.1
Container suse/sles12sp3:latest
cpio-2.11-36.6.1
Container suse/sles12sp4:latest
cpio-2.11-36.6.1
Container suse/sles12sp5:latest
cpio-2.11-36.6.1
Image SLES12-SP4-Azure-BYOS
cpio-2.11-36.6.1
Image SLES12-SP4-EC2-HVM-BYOS
cpio-2.11-36.6.1
Image SLES12-SP4-GCE-BYOS
cpio-2.11-36.6.1
Image SLES12-SP4-OCI-BYOS
cpio-2.11-36.6.1
Image SLES12-SP4-SAP-Azure
cpio-2.11-36.6.1
Image SLES12-SP4-SAP-Azure-BYOS
cpio-2.11-36.6.1
Image SLES12-SP4-SAP-Azure-LI-BYOS-Production
cpio-2.11-36.6.1
Image SLES12-SP4-SAP-Azure-VLI-BYOS-Production
cpio-2.11-36.6.1
Image SLES12-SP4-SAP-EC2-HVM
cpio-2.11-36.6.1
Image SLES12-SP4-SAP-EC2-HVM-BYOS
cpio-2.11-36.6.1
Image SLES12-SP4-SAP-GCE
cpio-2.11-36.6.1
Image SLES12-SP4-SAP-GCE-BYOS
cpio-2.11-36.6.1
Image SLES12-SP4-SAP-OCI-BYOS
cpio-2.11-36.6.1
Image SLES12-SP5-Azure-BYOS
cpio-2.11-36.6.1
Image SLES12-SP5-Azure-Basic-On-Demand
cpio-2.11-36.6.1
Image SLES12-SP5-Azure-HPC-BYOS
cpio-2.11-36.6.1
Image SLES12-SP5-Azure-HPC-On-Demand
cpio-2.11-36.6.1
Image SLES12-SP5-Azure-SAP-BYOS
cpio-2.11-36.6.1
Image SLES12-SP5-Azure-SAP-On-Demand
cpio-2.11-36.6.1
Image SLES12-SP5-Azure-Standard-On-Demand
cpio-2.11-36.6.1
Image SLES12-SP5-EC2-BYOS
cpio-2.11-36.6.1
Image SLES12-SP5-EC2-ECS-On-Demand
cpio-2.11-36.6.1
Image SLES12-SP5-EC2-On-Demand
cpio-2.11-36.6.1
Image SLES12-SP5-EC2-SAP-BYOS
cpio-2.11-36.6.1
Image SLES12-SP5-EC2-SAP-On-Demand
cpio-2.11-36.6.1
Image SLES12-SP5-GCE-BYOS
cpio-2.11-36.6.1
Image SLES12-SP5-GCE-On-Demand
cpio-2.11-36.6.1
Image SLES12-SP5-GCE-SAP-BYOS
cpio-2.11-36.6.1
Image SLES12-SP5-GCE-SAP-On-Demand
cpio-2.11-36.6.1
Image SLES12-SP5-OCI-BYOS-BYOS
cpio-2.11-36.6.1
Image SLES12-SP5-OCI-BYOS-SAP-BYOS
cpio-2.11-36.6.1
Image SLES12-SP5-SAP-Azure-LI-BYOS-Production
cpio-2.11-36.6.1
Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production
cpio-2.11-36.6.1
SUSE Linux Enterprise Desktop 12 SP4
cpio-2.11-36.6.1
cpio-lang-2.11-36.6.1
SUSE Linux Enterprise Server 12 SP4
cpio-2.11-36.6.1
cpio-lang-2.11-36.6.1
SUSE Linux Enterprise Server 12 SP5
cpio-2.11-36.6.1
cpio-lang-2.11-36.6.1
SUSE Linux Enterprise Server for SAP Applications 12 SP4
cpio-2.11-36.6.1
cpio-lang-2.11-36.6.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5
cpio-2.11-36.6.1
cpio-lang-2.11-36.6.1
Ссылки
- Link for SUSE-SU-2019:3064-1
- E-Mail link for SUSE-SU-2019:3064-1
- SUSE Security Ratings
- SUSE Bug 1155199
- SUSE CVE CVE-2019-14866 page
Описание
In all versions of cpio before 2.13 does not properly validate input files when generating TAR archives. When cpio is used to create TAR archives from paths an attacker can write to, the resulting archive may contain files with permissions the attacker did not have or in paths he did not have access to. Extracting those archives from a high-privilege user without carefully reviewing them may lead to the compromise of the system.
Затронутые продукты
Container caasp/v4/nginx-ingress-controller:beta1:cpio-2.11-36.6.1
Container suse/ltss/sle12.5/sles12sp5:latest:cpio-2.11-36.6.1
Container suse/sles12sp3:latest:cpio-2.11-36.6.1
Container suse/sles12sp4:latest:cpio-2.11-36.6.1
Ссылки
- CVE-2019-14866
- SUSE Bug 1155199