Gentoo has issued an advisory on February 15: http://www.gentoo.org/security/en/glsa/glsa-201502-11.xml We fixed CVE-2014-9112 in Bug 14765. Looking at the patch that Gentoo added for this update: http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/app-arch/cpio/files/cpio-2.11-security.patch?revision=1.1&view=markup They fixed that CVE as well as some additional issues that we found in the process of fixing that one, but they didn't actually fix CVE-2015-1197, as their advisory claims. This is assuming that CVE does actually correspond to this issue: https://marc.info/?l=oss-security&m=142289947619786&w=2 as Debian said here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774669#29 I never saw the CVE-2015-1197 assignment happen on the list. I can confirm that that issue is *not* fixed by the patches I had added in the previous update, which is the same as what Gentoo added in theirs. I have actually added the SuSE patch that was mentioned in the oss-security post and Debian bug above, and can confirm that the issue is fixed, via the PoC here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774669#15 Patched packages uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated cpio package fixes security vulnerability: In GNU Cpio 2.11, the --no-absolute-filenames option limits extracting contents of an archive to be strictly inside a current directory. However, it can be bypassed with symlinks. While extracting an archive, it will extract symlinks and then follow them if they are referenced in further entries. This can be exploited by a rogue archive to write files outside the current directory (CVE-2015-1197). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1197 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774669 ======================== Updated packages in core/updates_testing: ======================== cpio-2.11-6.3.mga4 from cpio-2.11-6.3.mga4.src.rpm Reproducible: Steps to Reproduce:
Whiteboard: (none) => has_procedure MGA4-32-OK
MGA4-64 on HP Probook 6555b KDE No installation issues. Following PoC as above I get at the CLI: [xxx@yyy ~]$ ln -s /tmp dir [xxx@yyy ~]$ touch /tmp/file [xxx@yyyy ~]$ echo 'dir > dir/file' | cpio -ov > test.cpio dir dir/file 1 blok [xxx@yyy ~]$ rm dir /tmp/file rm: remove symbolic link âdirâ? y rm: remove regular empty file â/tmp/fileâ? y [xxx@yyy ~]$ cpio --no-absolute-filenames -iv < test.cpio dir cpio: Can't write over symlinks: dir/file
CC: (none) => herman.viaeneWhiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK MGA4-64-OK
Advisory uploaded.
CC: (none) => remiWhiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure MGA4-32-OK MGA4-64-OK advisory
Validating. Please push to 4 updates Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0080.html
Status: NEW => RESOLVEDResolution: (none) => FIXED