| Summary: | cpio new security issue CVE-2021-38185 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | dan, davidwhodgins, guillaume.royer, joequant, marja11, nicolas.salguero, sysadmin-bugs, tmb |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | cpio-2.13-5.mga8.src.rpm | CVE: | CVE-2021-38185 |
| Status comment: | |||
|
Description
David Walser
2021-08-12 14:05:20 CEST
David Walser
2021-08-12 14:05:44 CEST
CC:
(none) =>
tmb Assign to all packagers collectively, since this package has no registered maintainer. CC'ing two more committers. Assignee:
bugsquad =>
pkg-bugs openSUSE has issued an advisory for this on August 16: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/XORUFH2I27QQWZXGSRUKWLXW5NX5KLXA/ Status comment:
(none) =>
Patch available from openSUSE Suggested advisory: ======================== The updated package fixes a security vulnerability: GNU cpio through 2.13 allows attackers to execute arbitrary code via a crafted pattern file, because of a dstring.c ds_fgetstr integer overflow that triggers an out-of-bounds heap write. (CVE-2021-38185) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38185 https://lists.suse.com/pipermail/sle-security-updates/2021-August/009282.html https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/XORUFH2I27QQWZXGSRUKWLXW5NX5KLXA/ ======================== Updated package in core/updates_testing: ======================== cpio-2.13-5.1.mga8 from SRPM: cpio-2.13-5.1.mga8.src.rpm CC:
(none) =>
nicolas.salguero Test CPIO before update: find /home/guillaume/Documents/test_cpio/ |cpio -ocvB > /home/guillaume/Téléchargements/testCPIO /home/guillaume/Documents/test_cpio/ /home/guillaume/Documents/test_cpio/glinfo /home/guillaume/Documents/test_cpio/MAJ kernel 3 blocs Test => OK Update CPIO with QA repo on MGA8 64 XFCE. Test CPIO after update removing archive testCPIO: find /home/guillaume/Documents/test_cpio/ |cpio -ocvB > /home/guillaume/Téléchargements/testCPIO /home/guillaume/Documents/test_cpio/ /home/guillaume/Documents/test_cpio/glinfo /home/guillaume/Documents/test_cpio/MAJ kernel 3 blocs Test => OK CC:
(none) =>
guillaume.royer Ubuntu has issued an advisory for this today (September 8): https://ubuntu.com/security/notices/USN-5064-1 They said they needed a couple of extra commits to fix regressions: https://ubuntu.com/security/CVE-2021-38185 Is our build OK? (In reply to David Walser from comment #5) > They said they needed a couple of extra commits to fix regressions: > https://ubuntu.com/security/CVE-2021-38185 > > Is our build OK? Yes it is. When I added the patch for the CVE, I saw that two additional commits were needed so I added them too. Adding ok based on comment 4 and validating. Advisory committed to svn. Keywords:
(none) =>
advisory, validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0423.html Status:
ASSIGNED =>
RESOLVED |