Hi LTS contributors I have built a cpio package with CVE-2019-14866 corrected. According to my testing it is no longer possible to reproduce the problem reported in this CVE.
You can find the packages I have produced here: http://apt.inguza.net/jessie-security/cpio The (so far rather limited) testing I have done can be found in README.testresult How to reproduce the problem can be found in the patch. It is easy to reproduce the problem on both jessie and wheezy. The debdiff is found in cpio.debdiff. Since cpio is a rather crucial package I would like some more people to test this package. At least for regression. An interesting note is that the patch solved the CVE for jessie, but for some unknown reason it did not solve the problem for wheezy. I have not yet found out why. Best regards // Ola -- --- Inguza Technology AB --- MSc in Information Technology ---- | [email protected] [email protected] | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------
