Ubuntu
cpio package

Sync cpio 2.13+dfsg-7 (main) from Debian sid (main)

Bug #1958131 reported by Heinrich Schuchardt on 2022-01-17

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	cpio (Ubuntu)	Fix Released	Wishlist	Unassigned

Bug Description

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

affects ubuntu/cpio
status new
importance wishlist
subscribe ubuntu-sponsors
done

Please sync cpio 2.13+dfsg-7 (main) from Debian sid (main)

Explanation of the Ubuntu delta and why it can be dropped:
  * SECURITY UPDATE: arbitrary code execution via crafted pattern file
    - debian/patches/CVE-2021-38185.patch: rewrite dynamic string support
      in src/copyin.c, src/copyout.c, src/copypass.c, src/dstring.c,
      src/dstring.h, src/util.c.
    - debian/patches/CVE-2021-38185.2.patch: don't call ds_resize in a loop
      in src/dstring.c.
    - debian/patches/CVE-2021-38185.3.patch: fix dynamic string
      reallocations in src/dstring.c.
    - CVE-2021-38185
  * Back out CVE-2021-381185 patches for now as they appear to be causing a
    regression when building the kernel
    - debian/patches/CVE-2021-38185.patch: disabled
    - debian/patches/CVE-2021-38185.2.patch: disabled
  * SECURITY UPDATE: arbitrary code execution via crafted pattern file
    - debian/patches/CVE-2021-38185.2.patch: don't call ds_resize in a loop
      in src/dstring.c.
    - CVE-2021-38185
  * SECURITY UPDATE: arbitrary code execution via crafted pattern file
    - debian/patches/CVE-2021-38185.patch: rewrite dynamic string support
      in src/copyin.c, src/copyout.c, src/copypass.c, src/dstring.c,
      src/dstring.h, src/util.c.
    - CVE-2021-38185

The code changes by the patch series in Ubuntu and Debian are the same.
The patches are just name differently:

d/992045-CVE-2021-38185-rewrite-dynamic-string-support u/patches/CVE-2021-38185.patch
d/992098-regression-of-orig-fix-for-CVE-2021-38185 u/CVE-2021-38185.2.patch
d/992192-Fix-dynamic-string-reallocations.patch u/patches/CVE-2021-38185.3.patch
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEK7wKXt3/btL6/yA+hO4vgnE3U0sFAmHlU6oACgkQhO4vgnE3
U0s83g//e0P9zbgAB77m0zHcBpyiAYrIDfaWHGGXOARuRd7T5GXrrYFEo1ldGSqy
eq9MrcQmFjEjy+0O7AGzmMVoQL0zyjze4OKIEb/8Hv2z9asyscJkI8zkTH7oO+Sg
GWER6yP66MCOvTCseGMdlrCWng93GAyJbJSOhVFh1t0Pssl3QJ3txPdNU5j6jKwS
b7NKnAMLvxBUHpftayFMHUtbZ/RpTzJavnQlperzN9W9OBbVccwSWwBJ3rjPoj1D
LOaXxeuWBDcHi9k7bB/HtDIitkQDvFSqCB0otn14F3I5BUCiM3xqT7kiGZAeP6TP
jny3IElHXDdepZOjqZ+UTJ0oTldKxRErz3XXWl32gVB0dOUgF7GgSoPSKckCp5hG
P7f7stsc3Cout+jo88AUEDmsV9GX5kLLGFfC8kGlXnIS9S7lH+yd1xfNd6WmZkyd
79pZAXZXAO/wrcD+g2U4OaD5a+LPYDxul6aA2l8hykN9OcN5Q+/F/r5DT2Oa4GeV
vCvpbXrs+WGOPfU50qwofB0lhBScsHZ9Yuga6l3VWBrFnbgT0G1ceYqc5X/ym4is
fTEBCthtTq7mDVzuSCGe21Ar4TwQtSPhwCu5RRLphmkIREFbFhBLDzSS8wQyyz2V
OJuv38UGAmhOMajhmt504BBb/ssMf5ItdRX1+imF0MTQrX4YSbg=
=2bpu
-----END PGP SIGNATURE-----

CVE References

2021-38185

Revision history for this message

Lukas Märdian (slyon) wrote on 2022-01-20:

This bug was fixed in the package cpio - 2.13+dfsg-7
Sponsored for Heinrich Schuchardt (xypron)

---------------
cpio (2.13+dfsg-7) unstable; urgency=medium

[ Salvatore Bonaccorso ]
* Fix dynamic string reallocations (Closes: #992192)

-- Anibal Monsalve Salazar <email address hidden> Sun, 22 Aug 2021 15:21:53 +1000

cpio (2.13+dfsg-6) unstable; urgency=high

  * Fix regression of original fix for CVE-2021-38185
    Add patch 992098-regression-of-orig-fix-for-CVE-2021-38185
    Closes: #992098

-- Anibal Monsalve Salazar <email address hidden> Fri, 13 Aug 2021 13:06:27 +1000

cpio (2.13+dfsg-5) unstable; urgency=medium

  * Fix CVE-2021-38185
    Add patch 992045-CVE-2021-38185-rewrite-dynamic-string-support
    Closes: #992045

-- Anibal Monsalve Salazar <email address hidden> Wed, 11 Aug 2021 01:18:33 +1000

Changed in cpio (Ubuntu):
status:	New → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntucpio package