Bug 29366 - cpio new security issue CVE-2021-38185
Summary: cpio new security issue CVE-2021-38185
Status: ASSIGNED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-08-12 14:05 CEST by David Walser
Modified: 2021-09-09 09:04 CEST (History)
6 users (show)

See Also:
Source RPM: cpio-2.13-5.mga8.src.rpm
CVE: CVE-2021-38185
Status comment:


Attachments

Description David Walser 2021-08-12 14:05:20 CEST
SUSE has issued an advisory today (August 12):
https://lists.suse.com/pipermail/sle-security-updates/2021-August/009282.html

Mageia 8 is also affected.
David Walser 2021-08-12 14:05:44 CEST

CC: (none) => tmb
Whiteboard: (none) => MGA8TOO

Comment 1 Marja Van Waes 2021-08-12 17:10:10 CEST
Assign to all packagers collectively, since this package has no registered maintainer. CC'ing two more committers.

CC: (none) => dan, joequant, marja11
Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2021-08-17 17:42:43 CEST
openSUSE has issued an advisory for this on August 16:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/XORUFH2I27QQWZXGSRUKWLXW5NX5KLXA/

Status comment: (none) => Patch available from openSUSE

Comment 3 Nicolas Salguero 2021-08-30 15:52:48 CEST
Suggested advisory:
========================

The updated package fixes a security vulnerability:

GNU cpio through 2.13 allows attackers to execute arbitrary code via a crafted pattern file, because of a dstring.c ds_fgetstr integer overflow that triggers an out-of-bounds heap write. (CVE-2021-38185)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38185
https://lists.suse.com/pipermail/sle-security-updates/2021-August/009282.html
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/XORUFH2I27QQWZXGSRUKWLXW5NX5KLXA/
========================

Updated package in core/updates_testing:
========================
cpio-2.13-5.1.mga8

from SRPM:
cpio-2.13-5.1.mga8.src.rpm

Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
Status comment: Patch available from openSUSE => (none)
Status: NEW => ASSIGNED
CVE: (none) => CVE-2021-38185
CC: (none) => nicolas.salguero

Comment 4 Guillaume Royer 2021-09-02 20:58:14 CEST
Test CPIO before update:

find /home/guillaume/Documents/test_cpio/ |cpio -ocvB > /home/guillaume/Téléchargements/testCPIO
/home/guillaume/Documents/test_cpio/
/home/guillaume/Documents/test_cpio/glinfo
/home/guillaume/Documents/test_cpio/MAJ kernel
3 blocs

Test => OK

Update CPIO with QA repo on MGA8 64 XFCE.

Test CPIO after update removing archive testCPIO:

find /home/guillaume/Documents/test_cpio/ |cpio -ocvB > /home/guillaume/Téléchargements/testCPIO
/home/guillaume/Documents/test_cpio/
/home/guillaume/Documents/test_cpio/glinfo
/home/guillaume/Documents/test_cpio/MAJ kernel
3 blocs

Test => OK

CC: (none) => guillaume.royer

Comment 5 David Walser 2021-09-08 22:33:48 CEST
Ubuntu has issued an advisory for this today (September 8):
https://ubuntu.com/security/notices/USN-5064-1

They said they needed a couple of extra commits to fix regressions:
https://ubuntu.com/security/CVE-2021-38185

Is our build OK?
Comment 6 Nicolas Salguero 2021-09-09 09:04:18 CEST
(In reply to David Walser from comment #5)
> They said they needed a couple of extra commits to fix regressions:
> https://ubuntu.com/security/CVE-2021-38185
> 
> Is our build OK?

Yes it is.  When I added the patch for the CVE, I saw that two additional commits were needed so I added them too.

Note You need to log in before you can comment on or make changes to this bug.