Ubuntu has issued an advisory on November 6: https://usn.ubuntu.com/4176-1/ Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
In the light of a recent security bug re-assignment, assigning this one globally, CC'ing Shlomi as the registered maintainer.
CC: (none) => shlomifAssignee: bugsquad => pkg-bugs
Fixed in cpio-2.12-6.mga8 for Cauldron, and in cpio-2.12-5.1.mga7 in Mga7, both currently building...
Version: Cauldron => 7Assignee: pkg-bugs => qa-bugsWhiteboard: MGA7TOO => (none)CC: (none) => tmb
SRPM: cpio-2.12-5.1.mga7.src.rpm i586: cpio-2.12-5.1.mga7.i586.rpm x86_64: cpio-2.12-5.1.mga7.x86_64.rpm
installed it. created a cpio file and was able to extract it. created a tar file using cpio $ ls | cpio -ov -H tar -F chris.tar Tried to extract it with cpio $ cpio -idv -F chris.tar realloc(): invalid pointer Aborted (core dumped) However, I was able to extract using the tar command. Can someone confirm my result? Not sure this is fully fixed.
CC: (none) => brtians1
In reply to Brian, comment 4: Tried compressing a directory into a .crc file and extracted it in /tmp and that worked fine. Updated the package and tried the same thing with tar and that failed to extract. $ ls | cpio -ov -H tar -F ruby.tar $ cpio -idv -F ruby.tar realloc(): invalid pointer Aborted (core dumped) Using the tar command to extract the contents works perfectly well. Rna the same sequence using crc compression and found that that extraction works fine. Seems to point to a bug in the tar code.
CC: (none) => tarazed25
And since the generated tar files seem to be valid it narrows down to the extraction handling of tar files.
MGA7-64 Plasma on Lenovo B50 No installation issues Followed more or less Brian $ cd ../Afbeeldingen/ [tester7@mach5 Afbeeldingen]$ ls | cpio -ov -H tar -F cpiotest.tar cpiotest.tar ikke2012.jpg P7212389.ORF P7212390.ORF P7212391.ORF P7212392.ORF p.tif 208861 blokken Now copied the cpiotest.tar file to $ cd ../tmp/cpiotest/ and with that a pwd $ cpio -idv -F cpiotest.tar realloc(): invalid pointer Afgebroken (geheugendump gemaakt) aborted ....) But tried: $ ark cpiotest.tar ark.kerfuffle: Could not detect mimetype from content. Using extension-based mimetype: "application/x-tar" ark.kerfuffle: Could not detect mimetype from content. Using extension-based mimetype: "application/x-tar" ark.kerfuffle: Could not detect mimetype from content. Using extension-based mimetype: "application/x-tar" kf5.kio.core: "Kon de map tags:/ niet binnengaan." qt.qpa.xcb: QXcbConnection: XCB error: 3 (BadWindow), sequence: 1723, resource id: 33554604, major code: 40 (TranslateCoords), minor code: 0 and ark extracted the files OK. Checked with cpio --help the options used in the cpio extraction command, but I cann't find anything wrong with it (what did you expect????) So no OK from me neither.
CC: (none) => herman.viaene
Is this tar issue a regression?
Just checked that. It is a regression by the looks of it. The pre-update version had no problem in a simple test like those already reported.
Keywords: (none) => feedback
Follow on from comment 9. Just to be sure I added a directory to the dummy test directory and ran the same commands. cpio behaved impeccably, noting the fact that some of the files looked the same and did not need to be replaced. The added directory was passed in name only, because there does not appear to be a directory expansion facility. The namelist is exactly that so a named directory is just another file, created as a leading directory if the -d option is used. I would say the tar extraction problem is definitely a regression.
ok will take a look
So, it turns out upstream has gone active again after a multi-year "sleep" ... And they have released 2.13 with all the security fixes, including one cve-2015... we previously missed..., and several other bugfixes... So I've rolled up to that to get a fresh cpio And it passes its own testsuite, and the testcase in comment 4 SRPM: cpio-2.13-1.mga7.src.rpm i586: cpio-2.13-1.mga7.i586.rpm x86_64: cpio-2.13-1.mga7.x86_64.rpm
Keywords: feedback => (none)
Quick work! Thanks Thomas ... waiting for the mirrors.
Mageia7, x86_64 Updated cpio from updates testing and ran a simple test: $ ls *.ps | cpio -ov -H tar -F ps.tar abc-0.ps abc-1.ps abc-2.ps abc-3.ps abc-4.ps julian.ps ticket.ps $ mkdir ps $ mv ps.tar ps $ cd ps $ cpio -idv -F ps.tar abc-0.ps abc-1.ps abc-2.ps abc-3.ps abc-4.ps julian.ps ticket.ps 178 blocks All recovered files intact. Good for 64-bits unless anybody wants to do anything more complex.
Got hold of the testsuite from https://coral.googlesource.com/busybox/+/refs/heads/release-chef/testsuite/cpio.tests = testing.sh Tried running it and hit a problem: $ sh testing.sh Segmentation fault (core dumped) $ ./testing.sh Segmentation fault (core dumped) Maybe there is some magic for running it. Saw none of the internal messages. Is there a test harness of some kind I wonder? If the line '. ./testing.sh' is commented out errors like this occur: ./testing.sh: line 27: optional: command not found ./testing.sh: line 28: testing: command not found Ach, forget it. It works for Thomas.
Repeated my test with new version 2.13: now all OK
Whiteboard: (none) => MGA7-64-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0326.html
Status: NEW => RESOLVEDResolution: (none) => FIXED