Summary: | app-arch/cpio: improper input validation when writing tar header fields leads to unexpected tar generation (CVE-2016-2037, CVE-2019-14866) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Lars Wendler (Polynomial-C) (RETIRED) <polynomial-c> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | IN_PROGRESS --- | ||
Severity: | minor | CC: | base-system, gabriele.svelto, sam |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://security-tracker.debian.org/tracker/CVE-2019-14866 | ||
Whiteboard: | B4 [upstream cve] | ||
Package list: |
app-arch/cpio-2.13
|
Runtime testing required: | --- |
Bug Depends on: | 700020, 807088, 908631 | ||
Bug Blocks: |
Description
Lars Wendler (Polynomial-C) (RETIRED)
2019-11-06 15:58:10 UTC
arm64 stable x86 stable Full stop on stabilization due to bug #700020 (In reply to Lars Wendler (Polynomial-C) from comment #3) > Full stop on stabilization due to bug #700020 No fix yet, unfortunately. --- Other vulnerabilities that 2.13 fixed: 2) CVE-2016-2037 Description: "The cpio_safer_name_suffix function in util.c in cpio 2.11 allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted cpio file." Resetting sanity check; keywords are not fully specified and arches are not CC-ed. Unable to check for sanity:
> package masked: app-arch/cpio-2.13
Unable to check for sanity:
> package masked: app-arch/cpio-2.13
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=30d0bdb974112f7857d6e50efb7d6b4b2b1ec295 commit 30d0bdb974112f7857d6e50efb7d6b4b2b1ec295 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-10-18 18:40:04 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-10-18 18:41:04 +0000 app-arch/cpio: patch regressions in 2.13, allowing CVE-2021-38185 fix (unkeyworded) To be keyworded after testing on more machines. Bug: https://bugs.gentoo.org/699456 Bug: https://bugs.gentoo.org/807088 Bug: https://bugs.gentoo.org/854192 Closes: https://bugs.gentoo.org/700020 Signed-off-by: Sam James <sam@gentoo.org> app-arch/cpio/Manifest | 1 + app-arch/cpio/cpio-2.13-r1.ebuild | 39 ++++++++++++++++++++++ .../files/cpio-2.13-sysmacros-glibc-2.26.patch | 12 +++++++ 3 files changed, 52 insertions(+) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a52ec56f85b11ee1faceddac7874666ad6d2b164 commit a52ec56f85b11ee1faceddac7874666ad6d2b164 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-10-18 19:11:52 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-10-18 19:12:00 +0000 app-arch/cpio: revert CVE-2015-1197 fix for --no-absolute-filenames At least we can have the fix for CVE-2021-38185. Bug: https://bugs.gentoo.org/699456 Bug: https://bugs.gentoo.org/807088 Closes: https://bugs.gentoo.org/700020 Signed-off-by: Sam James <sam@gentoo.org> .../{cpio-2.13-r1.ebuild => cpio-2.13-r2.ebuild} | 1 + ...e-filenames-revert-CVE-2015-1197-handling.patch | 47 ++++++++++++++++++++++ 2 files changed, 48 insertions(+) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=372a7b0084f0e8bf8ced7bba804f42c79a3b35f8 commit 372a7b0084f0e8bf8ced7bba804f42c79a3b35f8 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-10-30 15:58:25 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-10-30 16:31:07 +0000 app-arch/cpio: keyword 2.13-r3 Bug: https://bugs.gentoo.org/699456 Bug: https://bugs.gentoo.org/807088 Signed-off-by: Sam James <sam@gentoo.org> app-arch/cpio/cpio-2.13-r3.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8b78649fb457fb8cfe48aa194af9233cd3cc5cc6 commit 8b78649fb457fb8cfe48aa194af9233cd3cc5cc6 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-05-05 02:35:30 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-05-05 02:35:53 +0000 app-arch/cpio: add 2.14 Bug: https://bugs.gentoo.org/699456 Bug: https://bugs.gentoo.org/738392 Bug: https://bugs.gentoo.org/807088 Bug: https://bugs.gentoo.org/854192 Signed-off-by: Sam James <sam@gentoo.org> app-arch/cpio/Manifest | 1 + app-arch/cpio/cpio-2.14.ebuild | 50 ++++++++++++++++++++++ .../files/cpio-2.14-sysmacros-glibc-2.26.patch | 42 ++++++++++++++++++ 3 files changed, 93 insertions(+) I think this is fixed now upstream in 2.14? Not sure yet. |