Uploaded image for project: 'Funtoo Linux'
  1. Funtoo Linux
  2. FL-10250

app-arch/cpio-2.13 - CVE-2021-38185 - Medium

XMLWordPrintable

    • Icon: Security Vulnerability Security Vulnerability
    • Resolution: Fixed
    • Icon: Severe (Users) Severe (Users)
    • None
    • None
    • None
    • This potentially impacts all funtoo users at the moment and we should patch cpio to fix this. No upstream release with this patch yet. 

      {
  "id": "CVE-2021-38185",
  "is_known_exploited_vuln": false,
  "description": "GNU cpio through 2.13 allows attackers to execute arbitrary code via a crafted pattern file, because of a dstring.c ds_fgetstr integer overflow that triggers an out-of-bounds heap write. NOTE: it is unclear whether there are common cases where the pattern file, associated with the -E option, is untrusted data.",
  "urls": [
    "https://nvd.nist.gov/vuln/detail/CVE-2021-38185",
    "https://github.com/fangqyi/cpiopwn",
    "https://lists.gnu.org/archive/html/bug-cpio/2021-08/msg00002.html",
    "https://lists.gnu.org/archive/html/bug-cpio/2021-08/msg00000.html",
    "https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=dd96882877721703e19272fe25034560b794061b"
  ]
}

      Upstream not fix this cve in specific version
      but patch can be downloaded

      https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=dd96882877721703e19272fe25034560b794061b

      RedHat and Ubuntu use above patch

            siris siris
            tczaude tczaude
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: