-
Security Vulnerability
-
Resolution: Fixed
-
Severe (Users)
-
None
-
None
-
None
-
This potentially impacts all funtoo users at the moment and we should patch cpio to fix this. No upstream release with this patch yet.
{ "id": "CVE-2021-38185", "is_known_exploited_vuln": false, "description": "GNU cpio through 2.13 allows attackers to execute arbitrary code via a crafted pattern file, because of a dstring.c ds_fgetstr integer overflow that triggers an out-of-bounds heap write. NOTE: it is unclear whether there are common cases where the pattern file, associated with the -E option, is untrusted data.", "urls": [ "https://nvd.nist.gov/vuln/detail/CVE-2021-38185", "https://github.com/fangqyi/cpiopwn", "https://lists.gnu.org/archive/html/bug-cpio/2021-08/msg00002.html", "https://lists.gnu.org/archive/html/bug-cpio/2021-08/msg00000.html", "https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=dd96882877721703e19272fe25034560b794061b" ] }
Upstream not fix this cve in specific version
but patch can be downloaded
https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=dd96882877721703e19272fe25034560b794061b
RedHat and Ubuntu use above patch
- is duplicated by
-
FL-10352 app-arch/cpio-2.13 high severity vulnerability
- Closed