This bug was fixed in the package cpio - 2.13+dfsg-7 Sponsored for Heinrich Schuchardt (xypron)
--------------- cpio (2.13+dfsg-7) unstable; urgency=medium [ Salvatore Bonaccorso ] * Fix dynamic string reallocations (Closes: #992192) -- Anibal Monsalve Salazar <ani...@debian.org> Sun, 22 Aug 2021 15:21:53 +1000 cpio (2.13+dfsg-6) unstable; urgency=high * Fix regression of original fix for CVE-2021-38185 Add patch 992098-regression-of-orig-fix-for-CVE-2021-38185 Closes: #992098 -- Anibal Monsalve Salazar <ani...@debian.org> Fri, 13 Aug 2021 13:06:27 +1000 cpio (2.13+dfsg-5) unstable; urgency=medium * Fix CVE-2021-38185 Add patch 992045-CVE-2021-38185-rewrite-dynamic-string-support Closes: #992045 -- Anibal Monsalve Salazar <ani...@debian.org> Wed, 11 Aug 2021 01:18:33 +1000 ** Changed in: cpio (Ubuntu) Status: New => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-38185 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cpio in Ubuntu. https://bugs.launchpad.net/bugs/1958131 Title: Sync cpio 2.13+dfsg-7 (main) from Debian sid (main) Status in cpio package in Ubuntu: Fix Released Bug description: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 affects ubuntu/cpio status new importance wishlist subscribe ubuntu-sponsors done Please sync cpio 2.13+dfsg-7 (main) from Debian sid (main) Explanation of the Ubuntu delta and why it can be dropped: * SECURITY UPDATE: arbitrary code execution via crafted pattern file - debian/patches/CVE-2021-38185.patch: rewrite dynamic string support in src/copyin.c, src/copyout.c, src/copypass.c, src/dstring.c, src/dstring.h, src/util.c. - debian/patches/CVE-2021-38185.2.patch: don't call ds_resize in a loop in src/dstring.c. - debian/patches/CVE-2021-38185.3.patch: fix dynamic string reallocations in src/dstring.c. - CVE-2021-38185 * Back out CVE-2021-381185 patches for now as they appear to be causing a regression when building the kernel - debian/patches/CVE-2021-38185.patch: disabled - debian/patches/CVE-2021-38185.2.patch: disabled * SECURITY UPDATE: arbitrary code execution via crafted pattern file - debian/patches/CVE-2021-38185.2.patch: don't call ds_resize in a loop in src/dstring.c. - CVE-2021-38185 * SECURITY UPDATE: arbitrary code execution via crafted pattern file - debian/patches/CVE-2021-38185.patch: rewrite dynamic string support in src/copyin.c, src/copyout.c, src/copypass.c, src/dstring.c, src/dstring.h, src/util.c. - CVE-2021-38185 The code changes by the patch series in Ubuntu and Debian are the same. The patches are just name differently: d/992045-CVE-2021-38185-rewrite-dynamic-string-support u/patches/CVE-2021-38185.patch d/992098-regression-of-orig-fix-for-CVE-2021-38185 u/CVE-2021-38185.2.patch d/992192-Fix-dynamic-string-reallocations.patch u/patches/CVE-2021-38185.3.patch -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEK7wKXt3/btL6/yA+hO4vgnE3U0sFAmHlU6oACgkQhO4vgnE3 U0s83g//e0P9zbgAB77m0zHcBpyiAYrIDfaWHGGXOARuRd7T5GXrrYFEo1ldGSqy eq9MrcQmFjEjy+0O7AGzmMVoQL0zyjze4OKIEb/8Hv2z9asyscJkI8zkTH7oO+Sg GWER6yP66MCOvTCseGMdlrCWng93GAyJbJSOhVFh1t0Pssl3QJ3txPdNU5j6jKwS b7NKnAMLvxBUHpftayFMHUtbZ/RpTzJavnQlperzN9W9OBbVccwSWwBJ3rjPoj1D LOaXxeuWBDcHi9k7bB/HtDIitkQDvFSqCB0otn14F3I5BUCiM3xqT7kiGZAeP6TP jny3IElHXDdepZOjqZ+UTJ0oTldKxRErz3XXWl32gVB0dOUgF7GgSoPSKckCp5hG P7f7stsc3Cout+jo88AUEDmsV9GX5kLLGFfC8kGlXnIS9S7lH+yd1xfNd6WmZkyd 79pZAXZXAO/wrcD+g2U4OaD5a+LPYDxul6aA2l8hykN9OcN5Q+/F/r5DT2Oa4GeV vCvpbXrs+WGOPfU50qwofB0lhBScsHZ9Yuga6l3VWBrFnbgT0G1ceYqc5X/ym4is fTEBCthtTq7mDVzuSCGe21Ar4TwQtSPhwCu5RRLphmkIREFbFhBLDzSS8wQyyz2V OJuv38UGAmhOMajhmt504BBb/ssMf5ItdRX1+imF0MTQrX4YSbg= =2bpu -----END PGP SIGNATURE----- To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cpio/+bug/1958131/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp