found by scanning system with vulner
{ "id": "CVE-2021-38185", "is_known_exploited_vuln": false, "description": "GNU cpio through 2.13 allows attackers to execute arbitrary code via a crafted pattern file, because of a dstring.c ds_fgetstr integer overflow that triggers an out-of-bounds heap write. NOTE: it is unclear whether there are common cases where the pattern file, associated with the -E option, is untrusted data.", "urls": [ "https://nvd.nist.gov/vuln/detail/CVE-2021-38185", "https://github.com/fangqyi/cpiopwn", "https://lists.gnu.org/archive/html/bug-cpio/2021-08/msg00002.html", "https://lists.gnu.org/archive/html/bug-cpio/2021-08/msg00000.html", "https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=dd96882877721703e19272fe25034560b794061b" ] }
this packages (on my system) depend on cpio:
$ equery d cpio * These packages depend on cpio: app-arch/rpm2targz-2021.03.16 (app-arch/cpio) sys-boot/grub-2.06-r2 (test ? app-arch/cpio) sys-kernel/linux-firmware-20220815 (initramfs ? app-arch/cpio)
proposed solution
apply this patch: https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=dd96882877721703e19272fe25034560b794061b
- duplicates
-
FL-10250 app-arch/cpio-2.13 - CVE-2021-38185 - Medium
- Closed