From e7ea6c1e1b7d50529b986747135cfd3f2bfeac57 Mon Sep 17 00:00:00 2001 From: Christian Weisgerber Date: Fri, 15 Nov 2019 22:46:16 +0000 Subject: [PATCH] Document vulnerabilities in GNU cpio < 2.13. --- security/vuxml/vuln.xml | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index a1416a8e3d61..d9e3b1da6c92 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -58,6 +58,42 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> + + GNU cpio -- multiple vulnerabilities + + + gcpio + 2.13 + + + + +

Sergey Poznyakoff reports:

+
+

This stable release fixes several potential vulnerabilities

+

CVE-2015-1197: cpio, when using the --no-absolute-filenames + option, allows local users to write to arbitrary files + via a symlink attack on a file in an archive.

+

CVE-2016-2037: The cpio_safer_name_suffix function in + util.c allows remote attackers to cause a denial of service + (out-of-bounds write) via a crafted cpio file.

+

CVE-2019-14866: Improper input validation when writing + tar header fields leads to unexpected tar generation.

+
+ + + + https://lists.gnu.org/archive/html/bug-cpio/2019-11/msg00000.html + CVE-2015-1197 + CVE-2016-2037 + CVE-2019-14866 + + + 2019-11-06 + 2019-11-15 + + + libmad -- multiple vulnerabilities