UbuntuUpdates.org

Package "cpio"

Name: cpio

Description:

GNU cpio -- a program to manage archives of files
Latest version: 2.13+dfsg-2ubuntu0.4
Release: focal (20.04)
Level: updates
Repository: main
Homepage: https://www.gnu.org/software/cpio/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "cpio"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "cpio" in Focal

Repository Area Version
base main 2.13+dfsg-2
base universe 2.13+dfsg-2
security main 2.13+dfsg-2ubuntu0.4
security universe 2.13+dfsg-2ubuntu0.4
updates universe 2.13+dfsg-2ubuntu0.4

Changelog

Version: 2.13+dfsg-2ubuntu0.4 2024-04-29 13:06:55 UTC

  cpio (2.13+dfsg-2ubuntu0.4) focal-security; urgency=medium

  * SECURITY UPDATE: Path traversal vulnerability
    - debian/patches/CVE-2023-7207.patch: Create symlink placeholder
      if --no-absolute-filenames was given and replace placeholders
      after extraction.
    - debian/patches/revert-CVE-2015-1197-handling.patch: Removed.
    - CVE-2023-7207

 -- Fabian Toepfer <email address hidden> Sun, 28 Apr 2024 14:31:25 +0200
Source diff to previous version
CVE-2023-7207 Debian's cpio contains a path traversal vulnerability. This issue was introduced by reverting CVE-2015-1197 patches which had caused a regression in
CVE-2015-1197 cpio 2.11, when using the --no-absolute-filenames option, allows local users to write to arbitrary files via a symlink attack on a file in an archive

Version: 2.13+dfsg-2ubuntu0.3 2021-09-08 13:06:52 UTC

  cpio (2.13+dfsg-2ubuntu0.3) focal-security; urgency=medium

  * SECURITY UPDATE: arbitrary code execution via crafted pattern file
    - debian/patches/CVE-2021-38185.patch: rewrite dynamic string support
      in src/copyin.c, src/copyout.c, src/copypass.c, src/dstring.c,
      src/dstring.h, src/util.c.
    - debian/patches/CVE-2021-38185.2.patch: don't call ds_resize in a loop
      in src/dstring.c.
    - debian/patches/CVE-2021-38185.3.patch: fix dynamic string
      reallocations in src/dstring.c.
    - CVE-2021-38185

 -- Marc Deslauriers <email address hidden> Wed, 25 Aug 2021 06:52:28 -0400
CVE-2021-38185 GNU cpio through 2.13 allows attackers to execute arbitrary code via a crafted pattern file, because of a dstring.c ds_fgetstr integer overflow that


About   -   Send Feedback to @ubuntu_updates