UbuntuUpdates.org

Package "cpio"

Name: cpio

Description:

GNU cpio -- a program to manage archives of files
Latest version: 2.11-7ubuntu3.3
Release: precise (12.04)
Level: security
Repository: main
Homepage: http://www.gnu.org/software/cpio/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "cpio"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "cpio" in Precise

Repository Area Version
base main 2.11-7ubuntu3
updates main 2.11-7ubuntu3.3

Changelog

Version: 2.11-7ubuntu3.3 2021-05-03 14:07:14 UTC

  cpio (2.11-7ubuntu3.3) precise-security; urgency=medium

  * SECURITY UPDATE: Improper input validation
    - debian/patches/CVE-2019-14866.patch: improve diagnostics,
      remove to_oct_or_error, adding new macro in
      src/copyout.c, src/extern.h, src/tar.c.
    - CVE-2019-14866

 -- <email address hidden> (Leonidas S. Barbosa) Tue, 05 Nov 2019 12:31:13 -0300
Source diff to previous version
CVE-2019-14866 improper input validation when writing tar header fields leads to unexpect tar generation

Version: 2.11-7ubuntu3.2 2016-02-22 19:06:39 UTC

  cpio (2.11-7ubuntu3.2) precise-security; urgency=medium

  * SECURITY UPDATE: file overwrite via symlink attack
    - debian/patches/CVE-2015-1197.patch: don't write files over symlinks
      unless --extract-over-symlinks is used in doc/cpio.1, src/copyin.c,
      src/extern.h, src/global.c, src/main.c.
    - CVE-2015-1197
  * SECURITY UPDATE: out-of-bounds write
    - debian/patches/CVE-2016-2037.patch: make sure there is at least two
      bytes available in src/copyin.c, added comment to src/util.c.
    - CVE-2016-2037
  * debian/patches/fix-symlink-test.patch: fix date-sensitive test.

 -- Marc Deslauriers <email address hidden> Thu, 18 Feb 2016 09:19:26 -0500
Source diff to previous version
CVE-2015-1197 cpio 2.11, when using the --no-absolute-filenames option, allows local users to write to arbitrary files via a symlink attack on a file in an archive
CVE-2016-2037 out-of-bounds write with cpio 2.11

Version: 2.11-7ubuntu3.1 2015-01-08 20:06:22 UTC

  cpio (2.11-7ubuntu3.1) precise-security; urgency=medium

  * SECURITY UPDATE: out of bounds write and other range issues
    - debian/patches/cpio-CVE-2014-9112.patch
    - debian/patches/cpio-CVE-2014-9112-testsuite.patch: regenerate
      testsuite to incorporate tests from previous patch
    - CVE-2014-9112
 -- Steve Beattie <email address hidden> Wed, 07 Jan 2015 11:36:30 -0800
CVE-2014-9112 Heap-based buffer overflow in the process_copy_in function in GNU Cpio 2.11 allows remote attackers to cause a denial of service via a large block va


About   -   Send Feedback to @ubuntu_updates