found by scanning system with vulner
{
"id": "CVE-2021-38185",
"is_known_exploited_vuln": false,
"description": "GNU cpio through 2.13 allows attackers to execute arbitrary code via a crafted pattern file, because of a dstring.c ds_fgetstr integer overflow that triggers an out-of-bounds heap write. NOTE: it is unclear whether there are common cases where the pattern file, associated with the -E option, is untrusted data.",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2021-38185",
"https://github.com/fangqyi/cpiopwn",
"https://lists.gnu.org/archive/html/bug-cpio/2021-08/msg00002.html",
"https://lists.gnu.org/archive/html/bug-cpio/2021-08/msg00000.html",
"https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=dd96882877721703e19272fe25034560b794061b"
]
}
this packages (on my system) depend on cpio:
$ equery d cpio * These packages depend on cpio: app-arch/rpm2targz-2021.03.16 (app-arch/cpio) sys-boot/grub-2.06-r2 (test ? app-arch/cpio) sys-kernel/linux-firmware-20220815 (initramfs ? app-arch/cpio)
proposed solution
apply this patch: https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=dd96882877721703e19272fe25034560b794061b
- duplicates
-
FL-10250 app-arch/cpio-2.13 - CVE-2021-38185 - Medium
-
- Closed
-
