Your submission was sent successfully! Close

CVE-2021-38185

Published: 8 August 2021

GNU cpio through 2.13 allows attackers to execute arbitrary code via a crafted pattern file, because of a dstring.c ds_fgetstr integer overflow that triggers an out-of-bounds heap write. NOTE: it is unclear whether there are common cases where the pattern file, associated with the -E option, is untrusted data.

Notes

AuthorNote
mdeslaur
second commit fixes a regression. There seems to still be a
regression even with the second commit as it is causing the
kernel to FTBFS.
Also see debian bugs for regressions.
the third commit likely fixes the kernel regressions
Priority

Medium

CVSS 3 base score: 7.8

Status

Package Release Status
cpio
Launchpad, Ubuntu, Debian
bionic
Released (2.12+dfsg-6ubuntu0.18.04.4)
focal
Released (2.13+dfsg-2ubuntu0.3)
hirsute
Released (2.13+dfsg-4ubuntu0.3)
impish
Released (2.13+dfsg-4ubuntu4)
jammy
Released (2.13+dfsg-4ubuntu4)
trusty Needed

upstream
Released (2.13+dfsg-5)
xenial
Released (2.11+dfsg-5ubuntu1.1+esm1)
Patches:
upstream: https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=dd96882877721703e19272fe25034560b794061b
upstream: https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=dfc801c44a93bed7b3951905b188823d6a0432c8
upstream: https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=236684f6deb3178043fe72a8e2faca538fa2aae1