UbuntuUpdates.org

Package "cpio-win32"

Name: cpio-win32

Description:

GNU cpio -- a program to manage archives of files (win32 build)
Latest version: 2.12+dfsg-6ubuntu0.18.04.4
Release: bionic (18.04)
Level: security
Repository: universe
Head package: cpio
Homepage: http://www.gnu.org/software/cpio/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "cpio-win32"

All arch deb package
APT INSTALL

Other versions of "cpio-win32" in Bionic

Repository Area Version
base universe 2.12+dfsg-6
updates universe 2.12+dfsg-6ubuntu0.18.04.4

Changelog

Version: 2.12+dfsg-6ubuntu0.18.04.4 2021-09-08 13:06:45 UTC

  cpio (2.12+dfsg-6ubuntu0.18.04.4) bionic-security; urgency=medium

  * SECURITY UPDATE: arbitrary code execution via crafted pattern file
    - debian/patches/CVE-2021-38185.patch: rewrite dynamic string support
      in src/copyin.c, src/copyout.c, src/copypass.c, src/dstring.c,
      src/dstring.h, src/util.c.
    - debian/patches/CVE-2021-38185.2.patch: don't call ds_resize in a loop
      in src/dstring.c.
    - debian/patches/CVE-2021-38185.3.patch: fix dynamic string
      reallocations in src/dstring.c.
    - CVE-2021-38185

 -- Marc Deslauriers <email address hidden> Wed, 25 Aug 2021 06:53:46 -0400
Source diff to previous version
CVE-2021-38185 GNU cpio through 2.13 allows attackers to execute arbitrary code via a crafted pattern file, because of a dstring.c ds_fgetstr integer overflow that

Version: 2.12+dfsg-6ubuntu0.18.04.1 2019-11-06 18:06:22 UTC

  cpio (2.12+dfsg-6ubuntu0.18.04.1) bionic-security; urgency=medium

  * SECURITY UPDATE: Improper input validation
    - debian/patches/CVE-2019-14866.patch: improve diagnostics,
      remove to_oct_or_error, adding new macro in
      src/copyout.c, src/extern.h, src/tar.c.
    - CVE-2019-14866

 -- <email address hidden> (Leonidas S. Barbosa) Tue, 05 Nov 2019 15:09:06 -0300
CVE-2019-14866 improper input validation when writing tar header fields leads to unexpect tar generation


About   -   Send Feedback to @ubuntu_updates