Bug 25680 - cpio new security issue CVE-2019-14866
Summary: cpio new security issue CVE-2019-14866
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-11-10 18:48 CET by David Walser
Modified: 2019-11-14 18:00 CET (History)
7 users (show)

See Also:
Source RPM: cpio-2.12-5.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2019-11-10 18:48:08 CET
Ubuntu has issued an advisory on November 6:
https://usn.ubuntu.com/4176-1/

Mageia 7 is also affected.
David Walser 2019-11-10 18:48:16 CET

Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2019-11-10 21:08:04 CET
In the light of a recent security bug re-assignment, assigning this one globally, CC'ing Shlomi as the registered maintainer.

CC: (none) => shlomif
Assignee: bugsquad => pkg-bugs

Comment 2 Thomas Backlund 2019-11-10 21:22:51 CET
Fixed in cpio-2.12-6.mga8 for Cauldron, and in cpio-2.12-5.1.mga7 in Mga7, both currently building...

Version: Cauldron => 7
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA7TOO => (none)
CC: (none) => tmb

Comment 3 Thomas Backlund 2019-11-10 22:49:25 CET
SRPM:
cpio-2.12-5.1.mga7.src.rpm


i586:
cpio-2.12-5.1.mga7.i586.rpm


x86_64:
cpio-2.12-5.1.mga7.x86_64.rpm
Comment 4 Brian Rockwell 2019-11-11 03:20:04 CET
installed it.

created a cpio file and was able to extract it.

created a tar file using cpio

$ ls | cpio -ov -H tar -F chris.tar



Tried to extract it with cpio

$ cpio -idv -F chris.tar
realloc(): invalid pointer
Aborted (core dumped)


However, I was able to extract using the tar command.

Can someone confirm my result?  Not sure this is fully fixed.

CC: (none) => brtians1

Comment 5 Len Lawrence 2019-11-11 10:41:55 CET
In reply to Brian, comment 4:

Tried compressing a directory into a .crc file and extracted it in /tmp and that worked fine.
Updated the package and tried the same thing with tar and that failed to extract.
$ ls | cpio -ov -H tar -F ruby.tar
$ cpio -idv -F ruby.tar
realloc(): invalid pointer
Aborted (core dumped)

Using the tar command to extract the contents works perfectly well.

Rna the same sequence using crc compression and found that that extraction works fine.
Seems to point to a bug in the tar code.

CC: (none) => tarazed25

Comment 6 Len Lawrence 2019-11-11 10:46:04 CET
And since the generated tar files seem to be valid it narrows down to the extraction handling of tar files.
Comment 7 Herman Viaene 2019-11-11 10:48:34 CET
MGA7-64 Plasma on Lenovo B50
No installation issues
Followed more or less Brian
$ cd ../Afbeeldingen/
[tester7@mach5 Afbeeldingen]$ ls | cpio -ov -H tar -F cpiotest.tar
cpiotest.tar
ikke2012.jpg
P7212389.ORF
P7212390.ORF
P7212391.ORF
P7212392.ORF
p.tif
208861 blokken
Now copied the cpiotest.tar file to 
$ cd ../tmp/cpiotest/
and with that a pwd
$ cpio -idv -F cpiotest.tar 
realloc(): invalid pointer
Afgebroken (geheugendump gemaakt) aborted ....)
But tried:

$ ark cpiotest.tar 
ark.kerfuffle: Could not detect mimetype from content. Using extension-based mimetype: "application/x-tar"
ark.kerfuffle: Could not detect mimetype from content. Using extension-based mimetype: "application/x-tar"
ark.kerfuffle: Could not detect mimetype from content. Using extension-based mimetype: "application/x-tar"
kf5.kio.core: "Kon de map tags:/ niet binnengaan."
qt.qpa.xcb: QXcbConnection: XCB error: 3 (BadWindow), sequence: 1723, resource id: 33554604, major code: 40 (TranslateCoords), minor code: 0

and ark extracted the files OK.
Checked with cpio --help  the options used in the cpio extraction command, but I cann't find anything wrong with it (what did you expect????)

So no OK from me neither.

CC: (none) => herman.viaene

Comment 8 David Walser 2019-11-11 15:56:29 CET
Is this tar issue a regression?
Comment 9 Len Lawrence 2019-11-11 16:34:47 CET
Just checked that.  It is a regression by the looks of it.  The pre-update version had no problem in a simple test like those already reported.
David Walser 2019-11-11 16:38:37 CET

Keywords: (none) => feedback

Comment 10 Len Lawrence 2019-11-11 16:54:33 CET
Follow on from comment 9.

Just to be sure I added a directory to the dummy test directory and ran the same commands.  cpio behaved impeccably, noting the fact that some of the files looked the same and did not need to be replaced.  The added directory was passed in name only, because there does not appear to be a directory expansion facility.  The namelist is exactly that so a named directory is just another file, created as a leading directory if the -d option is used.  I would say the tar extraction problem is definitely a regression.
Comment 11 Thomas Backlund 2019-11-11 17:03:06 CET
ok will take a look
Comment 12 Thomas Backlund 2019-11-11 18:00:23 CET
So, it turns out upstream has gone active again after a multi-year "sleep" ...

And they have released 2.13 with all the security fixes, including one cve-2015... we previously missed..., and several other bugfixes...

So I've rolled up to that to get a fresh cpio

And it passes its own testsuite, and the testcase in comment 4

SRPM:
cpio-2.13-1.mga7.src.rpm


i586:
cpio-2.13-1.mga7.i586.rpm


x86_64:
cpio-2.13-1.mga7.x86_64.rpm

Keywords: feedback => (none)

Comment 13 Len Lawrence 2019-11-11 18:04:38 CET
Quick work!  Thanks Thomas ... waiting for the mirrors.
Comment 14 Len Lawrence 2019-11-11 23:35:46 CET
Mageia7, x86_64

Updated cpio from updates testing and ran a simple test:

$ ls *.ps | cpio -ov -H tar -F ps.tar
abc-0.ps
abc-1.ps
abc-2.ps
abc-3.ps
abc-4.ps
julian.ps
ticket.ps
$ mkdir ps
$ mv ps.tar ps
$ cd ps
$ cpio -idv -F ps.tar
abc-0.ps
abc-1.ps
abc-2.ps
abc-3.ps
abc-4.ps
julian.ps
ticket.ps
178 blocks

All recovered files intact.  Good for 64-bits unless anybody wants to do anything more complex.
Comment 15 Len Lawrence 2019-11-12 00:22:06 CET
Got hold of the testsuite from https://coral.googlesource.com/busybox/+/refs/heads/release-chef/testsuite/cpio.tests
= testing.sh

Tried running it and hit a problem:
$ sh testing.sh
Segmentation fault (core dumped)
$ ./testing.sh
Segmentation fault (core dumped)

Maybe there is some magic for running it.  Saw none of the internal messages.
Is there a test harness of some kind I wonder?
If the line '. ./testing.sh' is commented out errors like this occur:
./testing.sh: line 27: optional: command not found
./testing.sh: line 28: testing: command not found

Ach, forget it.  It works for Thomas.
Comment 16 Herman Viaene 2019-11-12 15:02:02 CET
Repeated my test with new version 2.13: now all OK

Whiteboard: (none) => MGA7-64-OK

Comment 17 Thomas Andrews 2019-11-14 02:21:17 CET
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2019-11-14 16:38:25 CET

Keywords: (none) => advisory

Comment 18 Mageia Robot 2019-11-14 18:00:42 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0326.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.