CVE-2021-38185: GNU cpio through 2.13 allows attackers to execute arbitrary code via a crafted pattern file, because of a dstring.c ds_fgetstr integer overflow that triggers an out-of-bounds heap write. NOTE: it is unclear whether there are common cases where the pattern file, associated with the -E option, is untrusted data. Fix is https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=dd96882877721703e19272fe25034560b794061b according to https://lists.gnu.org/archive/html/bug-cpio/2021-08/msg00002.html
Ping. No release yet, is the patch suitable?
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=30d0bdb974112f7857d6e50efb7d6b4b2b1ec295 commit 30d0bdb974112f7857d6e50efb7d6b4b2b1ec295 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-10-18 18:40:04 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-10-18 18:41:04 +0000 app-arch/cpio: patch regressions in 2.13, allowing CVE-2021-38185 fix (unkeyworded) To be keyworded after testing on more machines. Bug: https://bugs.gentoo.org/699456 Bug: https://bugs.gentoo.org/807088 Bug: https://bugs.gentoo.org/854192 Closes: https://bugs.gentoo.org/700020 Signed-off-by: Sam James <sam@gentoo.org> app-arch/cpio/Manifest | 1 + app-arch/cpio/cpio-2.13-r1.ebuild | 39 ++++++++++++++++++++++ .../files/cpio-2.13-sysmacros-glibc-2.26.patch | 12 +++++++ 3 files changed, 52 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a52ec56f85b11ee1faceddac7874666ad6d2b164 commit a52ec56f85b11ee1faceddac7874666ad6d2b164 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-10-18 19:11:52 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-10-18 19:12:00 +0000 app-arch/cpio: revert CVE-2015-1197 fix for --no-absolute-filenames At least we can have the fix for CVE-2021-38185. Bug: https://bugs.gentoo.org/699456 Bug: https://bugs.gentoo.org/807088 Closes: https://bugs.gentoo.org/700020 Signed-off-by: Sam James <sam@gentoo.org> .../{cpio-2.13-r1.ebuild => cpio-2.13-r2.ebuild} | 1 + ...e-filenames-revert-CVE-2015-1197-handling.patch | 47 ++++++++++++++++++++++ 2 files changed, 48 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=372a7b0084f0e8bf8ced7bba804f42c79a3b35f8 commit 372a7b0084f0e8bf8ced7bba804f42c79a3b35f8 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-10-30 15:58:25 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-10-30 16:31:07 +0000 app-arch/cpio: keyword 2.13-r3 Bug: https://bugs.gentoo.org/699456 Bug: https://bugs.gentoo.org/807088 Signed-off-by: Sam James <sam@gentoo.org> app-arch/cpio/cpio-2.13-r3.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=35f18448ac5707b834a0e7df35c934c0bef430b7 commit 35f18448ac5707b834a0e7df35c934c0bef430b7 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-12-27 23:53:21 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-12-28 00:32:13 +0000 app-arch/cpio: drop 2.12-r1, 2.13-r3 Bug: https://bugs.gentoo.org/807088 Signed-off-by: Sam James <sam@gentoo.org> app-arch/cpio/Manifest | 1 - app-arch/cpio/cpio-2.12-r1.ebuild | 26 ------------ app-arch/cpio/cpio-2.13-r3.ebuild | 50 ----------------------- app-arch/cpio/files/cpio-2.12-gcc-10.patch | 27 ------------ app-arch/cpio/files/cpio-2.12-name-overflow.patch | 15 ------- 5 files changed, 119 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8b78649fb457fb8cfe48aa194af9233cd3cc5cc6 commit 8b78649fb457fb8cfe48aa194af9233cd3cc5cc6 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-05-05 02:35:30 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-05-05 02:35:53 +0000 app-arch/cpio: add 2.14 Bug: https://bugs.gentoo.org/699456 Bug: https://bugs.gentoo.org/738392 Bug: https://bugs.gentoo.org/807088 Bug: https://bugs.gentoo.org/854192 Signed-off-by: Sam James <sam@gentoo.org> app-arch/cpio/Manifest | 1 + app-arch/cpio/cpio-2.14.ebuild | 50 ++++++++++++++++++++++ .../files/cpio-2.14-sysmacros-glibc-2.26.patch | 42 ++++++++++++++++++ 3 files changed, 93 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=ec51162294c73ff033db1675669619e567135084 commit ec51162294c73ff033db1675669619e567135084 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-07-01 05:59:20 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2024-07-01 06:09:28 +0000 [ GLSA 202407-07 ] cpio: Arbitrary Code Execution Bug: https://bugs.gentoo.org/807088 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202407-07.xml | 44 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+)
