Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 807088 (CVE-2021-38185) - <app-arch/cpio-2.13-r1: code execution via crafted pattern file (CVE-2021-38185)
Summary: <app-arch/cpio-2.13-r1: code execution via crafted pattern file (CVE-2021-38185)
Status: IN_PROGRESS
Alias: CVE-2021-38185
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa?]
Keywords:
Depends on: 886017
Blocks: CVE-2016-2037, CVE-2019-14866
  Show dependency tree
 
Reported: 2021-08-08 05:57 UTC by John Helmert III
Modified: 2022-12-28 00:34 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-08-08 05:57:42 UTC
CVE-2021-38185:

GNU cpio through 2.13 allows attackers to execute arbitrary code via a crafted pattern file, because of a dstring.c ds_fgetstr integer overflow that triggers an out-of-bounds heap write. NOTE: it is unclear whether there are common cases where the pattern file, associated with the -E option, is untrusted data.

Fix is https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=dd96882877721703e19272fe25034560b794061b
according to https://lists.gnu.org/archive/html/bug-cpio/2021-08/msg00002.html
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-15 04:55:21 UTC
Ping. No release yet, is the patch suitable?
Comment 2 Larry the Git Cow gentoo-dev 2022-10-18 18:41:29 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=30d0bdb974112f7857d6e50efb7d6b4b2b1ec295

commit 30d0bdb974112f7857d6e50efb7d6b4b2b1ec295
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-10-18 18:40:04 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-10-18 18:41:04 +0000

    app-arch/cpio: patch regressions in 2.13, allowing CVE-2021-38185 fix (unkeyworded)
    
    To be keyworded after testing on more machines.
    
    Bug: https://bugs.gentoo.org/699456
    Bug: https://bugs.gentoo.org/807088
    Bug: https://bugs.gentoo.org/854192
    Closes: https://bugs.gentoo.org/700020
    Signed-off-by: Sam James <sam@gentoo.org>

 app-arch/cpio/Manifest                             |  1 +
 app-arch/cpio/cpio-2.13-r1.ebuild                  | 39 ++++++++++++++++++++++
 .../files/cpio-2.13-sysmacros-glibc-2.26.patch     | 12 +++++++
 3 files changed, 52 insertions(+)
Comment 3 Larry the Git Cow gentoo-dev 2022-10-18 19:12:29 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a52ec56f85b11ee1faceddac7874666ad6d2b164

commit a52ec56f85b11ee1faceddac7874666ad6d2b164
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-10-18 19:11:52 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-10-18 19:12:00 +0000

    app-arch/cpio: revert CVE-2015-1197 fix for --no-absolute-filenames
    
    At least we can have the fix for CVE-2021-38185.
    
    Bug: https://bugs.gentoo.org/699456
    Bug: https://bugs.gentoo.org/807088
    Closes: https://bugs.gentoo.org/700020
    Signed-off-by: Sam James <sam@gentoo.org>

 .../{cpio-2.13-r1.ebuild => cpio-2.13-r2.ebuild}   |  1 +
 ...e-filenames-revert-CVE-2015-1197-handling.patch | 47 ++++++++++++++++++++++
 2 files changed, 48 insertions(+)
Comment 4 Larry the Git Cow gentoo-dev 2022-10-30 16:31:14 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=372a7b0084f0e8bf8ced7bba804f42c79a3b35f8

commit 372a7b0084f0e8bf8ced7bba804f42c79a3b35f8
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-10-30 15:58:25 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-10-30 16:31:07 +0000

    app-arch/cpio: keyword 2.13-r3
    
    Bug: https://bugs.gentoo.org/699456
    Bug: https://bugs.gentoo.org/807088
    Signed-off-by: Sam James <sam@gentoo.org>

 app-arch/cpio/cpio-2.13-r3.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 5 Larry the Git Cow gentoo-dev 2022-12-28 00:32:55 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=35f18448ac5707b834a0e7df35c934c0bef430b7

commit 35f18448ac5707b834a0e7df35c934c0bef430b7
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-12-27 23:53:21 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-12-28 00:32:13 +0000

    app-arch/cpio: drop 2.12-r1, 2.13-r3
    
    Bug: https://bugs.gentoo.org/807088
    Signed-off-by: Sam James <sam@gentoo.org>

 app-arch/cpio/Manifest                            |  1 -
 app-arch/cpio/cpio-2.12-r1.ebuild                 | 26 ------------
 app-arch/cpio/cpio-2.13-r3.ebuild                 | 50 -----------------------
 app-arch/cpio/files/cpio-2.12-gcc-10.patch        | 27 ------------
 app-arch/cpio/files/cpio-2.12-name-overflow.patch | 15 -------
 5 files changed, 119 deletions(-)