Hi, On 29/10/2019 23:12, Ola Lundqvist wrote: > Hi LTS contributors > > I have built a cpio package with CVE-2019-14866 corrected. > According to my testing it is no longer possible to reproduce the > problem reported in this CVE. > > You can find the packages I have produced here: > http://apt.inguza.net/jessie-security/cpio > > The (so far rather limited) testing I have done can be found in > README.testresult > How to reproduce the problem can be found in the patch. It is easy to > reproduce the problem on both jessie and wheezy. > > The debdiff is found in cpio.debdiff. > > Since cpio is a rather crucial package I would like some more people > to test this package. At least for regression.
I got contacted by cpio maintainer Sergey Poznyakoff <[email protected]> who told me he was in process of fixing it. You could coordinate with him and/or watch the upstream git repo for a sanctioned patch, which should help with your testing requirements :) Cheers! Sylvain
