Control: tags 812401 + pending Hi Anibal,
I've prepared an NMU for cpio (versioned as 2.11+dfsg-4.2) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer or cancel it if you would like to do it yourself. I choosed to upload to DELAYED/2 instead of DELAYED/5 since you seem to be listed on LowNMU. Regards, Salvatore
diff -Nru cpio-2.11+dfsg/debian/changelog cpio-2.11+dfsg/debian/changelog --- cpio-2.11+dfsg/debian/changelog 2015-03-05 11:47:10.000000000 +0100 +++ cpio-2.11+dfsg/debian/changelog 2016-02-13 07:15:04.000000000 +0100 @@ -1,3 +1,10 @@ +cpio (2.11+dfsg-4.2) unstable; urgency=medium + + * Non-maintainer upload. + * CVE-2016-2037: 1-byte out-of-bounds write (Closes: #812401) + + -- Salvatore Bonaccorso <[email protected]> Sat, 13 Feb 2016 06:53:01 +0100 + cpio (2.11+dfsg-4.1) unstable; urgency=medium * Apply patch by Vitezslav Cizek of SuSE to fix CVE-2015-1197. diff -Nru cpio-2.11+dfsg/debian/patches/CVE-2016-2037.patch cpio-2.11+dfsg/debian/patches/CVE-2016-2037.patch --- cpio-2.11+dfsg/debian/patches/CVE-2016-2037.patch 1970-01-01 01:00:00.000000000 +0100 +++ cpio-2.11+dfsg/debian/patches/CVE-2016-2037.patch 2016-02-13 07:15:04.000000000 +0100 @@ -0,0 +1,44 @@ +Description: fix 1-byte out-of-bounds write (CVE-2016-2037) + Other calls to cpio_safer_name_suffix seem to be safe. + . + * src/copyin.c (process_copy_in): Make sure that file_hdr.c_name + has at least two bytes allocated. + * src/util.c (cpio_safer_name_suffix): Document that use of this + function requires to be careful. +Origin: upstream, https://lists.gnu.org/archive/html/bug-cpio/2016-01/msg00005.html +Bug-Debian: https://bugs.debian.org/812401 +Forwarded: not-needed +Author: Pavel Raiskup <[email protected]> +Reviewed-by: Salvatore Bonaccorso <[email protected]> +Last-Update: 2016-02-12 + +--- + src/copyin.c | 2 ++ + src/util.c | 5 ++++- + 2 files changed, 6 insertions(+), 1 deletion(-) + +--- a/src/copyin.c ++++ b/src/copyin.c +@@ -1433,6 +1433,8 @@ process_copy_in () + break; + } + ++ if (file_hdr.c_namesize <= 1) ++ file_hdr.c_name = xrealloc(file_hdr.c_name, 2); + cpio_safer_name_suffix (file_hdr.c_name, false, !no_abs_paths_flag, + false); + +--- a/src/util.c ++++ b/src/util.c +@@ -1374,7 +1374,10 @@ set_file_times (int fd, + } + + /* Do we have to ignore absolute paths, and if so, does the filename +- have an absolute path? */ ++ have an absolute path? ++ Before calling this function make sure that the allocated NAME buffer has ++ capacity at least 2 bytes to allow us to store the "." string inside. */ ++ + void + cpio_safer_name_suffix (char *name, bool link_target, bool absolute_names, + bool strip_leading_dots) diff -Nru cpio-2.11+dfsg/debian/patches/series cpio-2.11+dfsg/debian/patches/series --- cpio-2.11+dfsg/debian/patches/series 2015-03-05 11:49:50.000000000 +0100 +++ cpio-2.11+dfsg/debian/patches/series 2016-02-13 07:15:04.000000000 +0100 @@ -17,3 +17,4 @@ fd262d11.patch f6a8a2cb.patch CVE-2015-1197.patch +CVE-2016-2037.patch
