807088 – (CVE-2021-38185) <app-arch/cpio-2.13-r1: code execution via crafted pattern file (CVE-2021-38185)

Bug 807088 (CVE-2021-38185) - <app-arch/cpio-2.13-r1: code execution via crafted pattern file (CVE-2021-38185)

Summary: <app-arch/cpio-2.13-r1: code execution via crafted pattern file (CVE-2021-38185)

Status:	IN_PROGRESS

Alias:	CVE-2021-38185

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B2 [glsa?]
Keywords:

Depends on:	886017
Blocks:	CVE-2016-2037, CVE-2019-14866
	Show dependency tree

Reported:	2021-08-08 05:57 UTC by John Helmert III
Modified:	2023-05-05 02:38 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2021-08-08 05:57:42 UTC

CVE-2021-38185:

GNU cpio through 2.13 allows attackers to execute arbitrary code via a crafted pattern file, because of a dstring.c ds_fgetstr integer overflow that triggers an out-of-bounds heap write. NOTE: it is unclear whether there are common cases where the pattern file, associated with the -E option, is untrusted data.

Fix is https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=dd96882877721703e19272fe25034560b794061b
according to https://lists.gnu.org/archive/html/bug-cpio/2021-08/msg00002.html

Comment 1 John Helmert III archtester

2022-08-15 04:55:21 UTC

Ping. No release yet, is the patch suitable?

Comment 2 Larry the Git Cow gentoo-dev

2022-10-18 18:41:29 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=30d0bdb974112f7857d6e50efb7d6b4b2b1ec295

commit 30d0bdb974112f7857d6e50efb7d6b4b2b1ec295
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-10-18 18:40:04 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-10-18 18:41:04 +0000

    app-arch/cpio: patch regressions in 2.13, allowing CVE-2021-38185 fix (unkeyworded)
    
    To be keyworded after testing on more machines.
    
    Bug: https://bugs.gentoo.org/699456
    Bug: https://bugs.gentoo.org/807088
    Bug: https://bugs.gentoo.org/854192
    Closes: https://bugs.gentoo.org/700020
    Signed-off-by: Sam James <sam@gentoo.org>

 app-arch/cpio/Manifest                             |  1 +
 app-arch/cpio/cpio-2.13-r1.ebuild                  | 39 ++++++++++++++++++++++
 .../files/cpio-2.13-sysmacros-glibc-2.26.patch     | 12 +++++++
 3 files changed, 52 insertions(+)

Comment 3 Larry the Git Cow gentoo-dev

2022-10-18 19:12:29 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a52ec56f85b11ee1faceddac7874666ad6d2b164

commit a52ec56f85b11ee1faceddac7874666ad6d2b164
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-10-18 19:11:52 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-10-18 19:12:00 +0000

    app-arch/cpio: revert CVE-2015-1197 fix for --no-absolute-filenames
    
    At least we can have the fix for CVE-2021-38185.
    
    Bug: https://bugs.gentoo.org/699456
    Bug: https://bugs.gentoo.org/807088
    Closes: https://bugs.gentoo.org/700020
    Signed-off-by: Sam James <sam@gentoo.org>

 .../{cpio-2.13-r1.ebuild => cpio-2.13-r2.ebuild}   |  1 +
 ...e-filenames-revert-CVE-2015-1197-handling.patch | 47 ++++++++++++++++++++++
 2 files changed, 48 insertions(+)

Comment 4 Larry the Git Cow gentoo-dev

2022-10-30 16:31:14 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=372a7b0084f0e8bf8ced7bba804f42c79a3b35f8

commit 372a7b0084f0e8bf8ced7bba804f42c79a3b35f8
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-10-30 15:58:25 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-10-30 16:31:07 +0000

    app-arch/cpio: keyword 2.13-r3
    
    Bug: https://bugs.gentoo.org/699456
    Bug: https://bugs.gentoo.org/807088
    Signed-off-by: Sam James <sam@gentoo.org>

 app-arch/cpio/cpio-2.13-r3.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 5 Larry the Git Cow gentoo-dev

2022-12-28 00:32:55 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=35f18448ac5707b834a0e7df35c934c0bef430b7

commit 35f18448ac5707b834a0e7df35c934c0bef430b7
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-12-27 23:53:21 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-12-28 00:32:13 +0000

    app-arch/cpio: drop 2.12-r1, 2.13-r3
    
    Bug: https://bugs.gentoo.org/807088
    Signed-off-by: Sam James <sam@gentoo.org>

 app-arch/cpio/Manifest                            |  1 -
 app-arch/cpio/cpio-2.12-r1.ebuild                 | 26 ------------
 app-arch/cpio/cpio-2.13-r3.ebuild                 | 50 -----------------------
 app-arch/cpio/files/cpio-2.12-gcc-10.patch        | 27 ------------
 app-arch/cpio/files/cpio-2.12-name-overflow.patch | 15 -------
 5 files changed, 119 deletions(-)

Comment 6 Larry the Git Cow gentoo-dev

2023-05-05 02:38:34 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8b78649fb457fb8cfe48aa194af9233cd3cc5cc6

commit 8b78649fb457fb8cfe48aa194af9233cd3cc5cc6
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-05-05 02:35:30 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-05-05 02:35:53 +0000

    app-arch/cpio: add 2.14
    
    Bug: https://bugs.gentoo.org/699456
    Bug: https://bugs.gentoo.org/738392
    Bug: https://bugs.gentoo.org/807088
    Bug: https://bugs.gentoo.org/854192
    Signed-off-by: Sam James <sam@gentoo.org>

 app-arch/cpio/Manifest                             |  1 +
 app-arch/cpio/cpio-2.14.ebuild                     | 50 ++++++++++++++++++++++
 .../files/cpio-2.14-sysmacros-glibc-2.26.patch     | 42 ++++++++++++++++++
 3 files changed, 93 insertions(+)