A CVE has been assigned for a security issue in cpio: http://www.openwall.com/lists/oss-security/2014/11/26/20 The issue has been fixed upstream, as noted in the RedHat bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-9112 Fedora has added patches for it in git. Their update is still in QA. Patched packages uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated cpio package fixes security vulnerability: Heap-based buffer overflow in the process_copy_in function in GNU Cpio 2.11 allows remote attackers to cause a denial of service via a large block value in a cpio archive (CVE-2014-9112). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9112 https://bugzilla.redhat.com/show_bug.cgi?id=1167571 ======================== Updated packages in core/updates_testing: ======================== cpio-2.11-6.1.mga4 from cpio-2.11-6.1.mga4.src.rpm Reproducible: Steps to Reproduce:
I am lined up to test this on MGA4 x64 - when I can see the update in Updates Testing.
CC: (none) => lewyssmith
Testing MGA4 x64 Useful links: http://www.openwall.com/lists/oss-security/2014/11/26/20 -> http://lcamtuf.coredump.cx/afl/vulns/lesspipe-cpio-bad-write.cpio the latter being the sample cpio archive [download it]. The cpio man page is minimal, and if you want to avoid wrestling with 'info', http://www.gnu.org/software/cpio/manual/cpio.html is a much nicer explanation of it all. In the same directory as the downloaded archive file:- Before the update (the last 2 commands are equivalent):- $ cpio -t -F lesspipe-cpio-bad-write.cpio hello cpio: premature end of file $ cpio -idv < lesspipe-cpio-bad-write.cpio Segmentation fault $ cpio -idv -F lesspipe-cpio-bad-write.cpio Segmentation fault Updated from Updates Testing to cpio-2.11-6.1.mga4:- $ cpio -t -F lesspipe-cpio-bad-write.cpio hello cpio: premature end of file $ cpio -idv < lesspipe-cpio-bad-write.cpio cpio: premature end of file $ cpio -idv -F lesspipe-cpio-bad-write.cpio cpio: premature end of file I take this is 'OK'.
Whiteboard: (none) => MGA4-64-OK
Yep, nice job Lewis.
Whiteboard: MGA4-64-OK => has_procedure MGA4-64-OK
On Mageia 4 i586 I still get the segfault...
I tested Fedora's update candidate on Fedora 20 and I actually didn't get the segfault before installing the update, but I do after (also testing i686). I've reported this in their QA thing and their Bugzilla. Hopefully they'll see it.
Whiteboard: has_procedure MGA4-64-OK => has_procedure MGA4-64-OK feedback
Cool, RedHat's packager reported it upstream and they committed additional fixes. I have confirmed that it doesn't crash with the PoC with a local build. Patched packages uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated cpio package fixes security vulnerability: Heap-based buffer overflow in the process_copy_in function in GNU Cpio 2.11 allows remote attackers to cause a denial of service via a large block value in a cpio archive (CVE-2014-9112). Additionally, a null pointer dereference in the copyin_link function which could cause a denial of service has also been fixed. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9112 https://bugzilla.redhat.com/show_bug.cgi?id=1167571 ======================== Updated packages in core/updates_testing: ======================== cpio-2.11-6.2.mga4 from cpio-2.11-6.2.mga4.src.rpm
Whiteboard: has_procedure MGA4-64-OK feedback => has_procedure
Tested successfully with the mga4 update on i586: $ cpio -idv < lesspipe-cpio-bad-write.cpio cpio: hello: stored filename length is out of range hello cpio: warning: skipped 6 bytes of junk 1 block
Whiteboard: has_procedure => has_procedure MGA4-32-OK
Tested cpio-2.11-6.2.mga4 on mga4 x86_64 Test procedure by Lewis cf comment 2 Downloaded specimen archive [lcl@altair ~/downloads]$ cpio -t -F lesspipe-cpio-bad-write.cpio hello cpio: premature end of file [lcl@altair ~/downloads]$ cpio -idv < lesspipe-cpio-bad-write.cpio cpio: premature end of file [lcl@altair ~/downloads]$ cpio -idv -F lesspipe-cpio-bad-write.cpio cpio: premature end of file
CC: (none) => tarazed25
Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK MGA4-64-OK
mga4 on virtualbox i586 Testing the update confirms David's result in comment 7. The other form of the command also agrees: [lcl@localhost ~]$ cpio -idv -F lesspipe-cpio-bad-write.cpio cpio: hello: stored filename length is out of range hello cpio: warning: skipped 6 bytes of junk 1 block Any explanation for the difference from x86_64?
(In reply to Len Lawrence from comment #9) > Any explanation for the difference from x86_64? Yes, upstream knows that the output messages are different on different architectures. The important thing is that it doesn't segfault anymore.
Advisory uploaded, validating.
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure MGA4-32-OK MGA4-64-OK advisoryCC: (none) => remi, sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0528.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/626452/