A security issue in cpio was reported today (January 19): http://seclists.org/oss-sec/2016/q1/136 CVE assignment is pending. A PoC is attached to the above message. Reproducible: Steps to Reproduce:
I'm not aware of an existing fix at this time.
Whiteboard: (none) => MGA5TOO
CVE-2016-2037 has been assigned: http://openwall.com/lists/oss-security/2016/01/22/4
Summary: cpio new out-of-bounds-write security issue => cpio new out-of-bounds-write security issue (CVE-2016-2037)
Patched packages uploaded for Mageia 5 and Cauldron. Note the PoC information in the oss-security thread. Advisory: ======================== Updated cpio package fixes security vulnerability: An out-of-bounds write in cpio was found in the parsing of cpio files, in the process_copy_in() function in src/copyin.c (CVE-2016-2037). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2037 http://openwall.com/lists/oss-security/2016/01/22/4 ======================== Updated packages in core/updates_testing: ======================== cpio-2.11-11.1.mga5 from cpio-2.11-ll.1.mga5.src.rpm
Version: Cauldron => 5Assignee: bugsquad => qa-bugsWhiteboard: MGA5TOO => has_procedure
Testing M5 x64 Using the given test file: http://seclists.org/oss-sec/2016/q1/att-136/overflow_cpio.bin [renamed to overflow.cpio as per the link to it from http://seclists.org/oss-sec/2016/q1/136] BEFORE this update (cpio-2.11-11.mga5): $ cpio -it < tmp/overflow.cpio cpio: Malformed number0000000 cpio: warning: skipped 8 bytes of junk cpio: Substituting `.' for empty member name . cpio: premature end of file which is not (as we find often) the result hoped for - a crash. AFTER the update to cpio-2.11-11.1.mga5: the result was identical. So no reversion = OK.
CC: (none) => lewyssmithWhiteboard: has_procedure => has_procedure MGA5-64-OK
The output on the link looks like valgrind, the memory debugging tool. It's a bit of a subject on it's own but you can sometimes use it, basically, to see relevant info. (eg. valgrind cpio -it < /tmp/overflow.cpio) In this case we can see the patch has been applied with a diff of the srpm http://madb.mageia.org/rpm/diff/application/0/name/cpio-2.11-11.1.mga5.src.rpm/source/1/release/5/arch/i586/t_media/5 At the top is the patch file being added. Further down in the spec it shows it has been listed and applied.. @@ -13,6 +14,7 @@ Patch14: cpio-2.11-null-deref.patch Patch15: cpio-2.11-testsuite-null-deref.patch Patch16: cpio-2.11-no-overwrite-symlinks.patch +Patch17: cpio-2.12-CVE-2016-2037.patch BuildRequires: bison Requires(post): info-install Requires(preun): info-install @@ -42,6 +44,7 @@ %patch14 -p1 -b .null-deref %patch15 -p1 -b .testsuite-null-deref %patch16 -p1 -b .no-overwrite-symlink +%patch17 -p1 -b .CVE-2016-2037 No regressions on top of this is quite sufficient, well done.
Validating. Advisory uploaded. (Changed typewriter 1's to real 1's in srpm) Please push to 5 updates, thanks.
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-64-OK => has_procedure advisory MGA5-64-OKCC: (none) => sysadmin-bugs
URL: (none) => http://lwn.net/Vulnerabilities/675700/
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0063.html
Status: NEW => RESOLVEDResolution: (none) => FIXED