SUSE has issued an advisory today (August 12): https://lists.suse.com/pipermail/sle-security-updates/2021-August/009282.html Mageia 8 is also affected.
CC: (none) => tmbWhiteboard: (none) => MGA8TOO
Assign to all packagers collectively, since this package has no registered maintainer. CC'ing two more committers.
Assignee: bugsquad => pkg-bugsCC: (none) => dan, joequant, marja11
openSUSE has issued an advisory for this on August 16: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/XORUFH2I27QQWZXGSRUKWLXW5NX5KLXA/
Status comment: (none) => Patch available from openSUSE
Suggested advisory: ======================== The updated package fixes a security vulnerability: GNU cpio through 2.13 allows attackers to execute arbitrary code via a crafted pattern file, because of a dstring.c ds_fgetstr integer overflow that triggers an out-of-bounds heap write. (CVE-2021-38185) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38185 https://lists.suse.com/pipermail/sle-security-updates/2021-August/009282.html https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/XORUFH2I27QQWZXGSRUKWLXW5NX5KLXA/ ======================== Updated package in core/updates_testing: ======================== cpio-2.13-5.1.mga8 from SRPM: cpio-2.13-5.1.mga8.src.rpm
CC: (none) => nicolas.salgueroStatus comment: Patch available from openSUSE => (none)Status: NEW => ASSIGNEDCVE: (none) => CVE-2021-38185Assignee: pkg-bugs => qa-bugsWhiteboard: MGA8TOO => (none)Version: Cauldron => 8
Test CPIO before update: find /home/guillaume/Documents/test_cpio/ |cpio -ocvB > /home/guillaume/Téléchargements/testCPIO /home/guillaume/Documents/test_cpio/ /home/guillaume/Documents/test_cpio/glinfo /home/guillaume/Documents/test_cpio/MAJ kernel 3 blocs Test => OK Update CPIO with QA repo on MGA8 64 XFCE. Test CPIO after update removing archive testCPIO: find /home/guillaume/Documents/test_cpio/ |cpio -ocvB > /home/guillaume/Téléchargements/testCPIO /home/guillaume/Documents/test_cpio/ /home/guillaume/Documents/test_cpio/glinfo /home/guillaume/Documents/test_cpio/MAJ kernel 3 blocs Test => OK
CC: (none) => guillaume.royer
Ubuntu has issued an advisory for this today (September 8): https://ubuntu.com/security/notices/USN-5064-1 They said they needed a couple of extra commits to fix regressions: https://ubuntu.com/security/CVE-2021-38185 Is our build OK?
(In reply to David Walser from comment #5) > They said they needed a couple of extra commits to fix regressions: > https://ubuntu.com/security/CVE-2021-38185 > > Is our build OK? Yes it is. When I added the patch for the CVE, I saw that two additional commits were needed so I added them too.
Adding ok based on comment 4 and validating. Advisory committed to svn.
Keywords: (none) => advisory, validated_updateWhiteboard: (none) => MGA8-64-OKCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0423.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED