[Bug 1958131] [NEW] Sync cpio 2.13+dfsg-7 (main) from Debian sid (main)

Heinrich Schuchardt 1958131 at bugs.launchpad.net
Mon Jan 17 11:32:11 UTC 2022 

Public bug reported:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

 affects ubuntu/cpio
 status new
 importance wishlist
 subscribe ubuntu-sponsors
 done

Please sync cpio 2.13+dfsg-7 (main) from Debian sid (main)

Explanation of the Ubuntu delta and why it can be dropped:
  * SECURITY UPDATE: arbitrary code execution via crafted pattern file
    - debian/patches/CVE-2021-38185.patch: rewrite dynamic string support
      in src/copyin.c, src/copyout.c, src/copypass.c, src/dstring.c,
      src/dstring.h, src/util.c.
    - debian/patches/CVE-2021-38185.2.patch: don't call ds_resize in a loop
      in src/dstring.c.
    - debian/patches/CVE-2021-38185.3.patch: fix dynamic string
      reallocations in src/dstring.c.
    - CVE-2021-38185
  * Back out CVE-2021-381185 patches for now as they appear to be causing a
    regression when building the kernel
    - debian/patches/CVE-2021-38185.patch: disabled
    - debian/patches/CVE-2021-38185.2.patch: disabled
  * SECURITY UPDATE: arbitrary code execution via crafted pattern file
    - debian/patches/CVE-2021-38185.2.patch: don't call ds_resize in a loop
      in src/dstring.c.
    - CVE-2021-38185
  * SECURITY UPDATE: arbitrary code execution via crafted pattern file
    - debian/patches/CVE-2021-38185.patch: rewrite dynamic string support
      in src/copyin.c, src/copyout.c, src/copypass.c, src/dstring.c,
      src/dstring.h, src/util.c.
    - CVE-2021-38185

The code changes by the patch series in Ubuntu and Debian are the same.
The patches are just name differently:

d/992045-CVE-2021-38185-rewrite-dynamic-string-support u/patches/CVE-2021-38185.patch
d/992098-regression-of-orig-fix-for-CVE-2021-38185 u/CVE-2021-38185.2.patch
d/992192-Fix-dynamic-string-reallocations.patch u/patches/CVE-2021-38185.3.patch
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEK7wKXt3/btL6/yA+hO4vgnE3U0sFAmHlU6oACgkQhO4vgnE3
U0s83g//e0P9zbgAB77m0zHcBpyiAYrIDfaWHGGXOARuRd7T5GXrrYFEo1ldGSqy
eq9MrcQmFjEjy+0O7AGzmMVoQL0zyjze4OKIEb/8Hv2z9asyscJkI8zkTH7oO+Sg
GWER6yP66MCOvTCseGMdlrCWng93GAyJbJSOhVFh1t0Pssl3QJ3txPdNU5j6jKwS
b7NKnAMLvxBUHpftayFMHUtbZ/RpTzJavnQlperzN9W9OBbVccwSWwBJ3rjPoj1D
LOaXxeuWBDcHi9k7bB/HtDIitkQDvFSqCB0otn14F3I5BUCiM3xqT7kiGZAeP6TP
jny3IElHXDdepZOjqZ+UTJ0oTldKxRErz3XXWl32gVB0dOUgF7GgSoPSKckCp5hG
P7f7stsc3Cout+jo88AUEDmsV9GX5kLLGFfC8kGlXnIS9S7lH+yd1xfNd6WmZkyd
79pZAXZXAO/wrcD+g2U4OaD5a+LPYDxul6aA2l8hykN9OcN5Q+/F/r5DT2Oa4GeV
vCvpbXrs+WGOPfU50qwofB0lhBScsHZ9Yuga6l3VWBrFnbgT0G1ceYqc5X/ym4is
fTEBCthtTq7mDVzuSCGe21Ar4TwQtSPhwCu5RRLphmkIREFbFhBLDzSS8wQyyz2V
OJuv38UGAmhOMajhmt504BBb/ssMf5ItdRX1+imF0MTQrX4YSbg=
=2bpu
-----END PGP SIGNATURE-----

** Affects: cpio (Ubuntu)
     Importance: Wishlist
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1958131

Title:
  Sync cpio 2.13+dfsg-7 (main) from Debian sid (main)

Status in cpio package in Ubuntu:
  New

Bug description:
  -----BEGIN PGP SIGNED MESSAGE-----
  Hash: SHA256

   affects ubuntu/cpio
   status new
   importance wishlist
   subscribe ubuntu-sponsors
   done

  Please sync cpio 2.13+dfsg-7 (main) from Debian sid (main)

  Explanation of the Ubuntu delta and why it can be dropped:
    * SECURITY UPDATE: arbitrary code execution via crafted pattern file
      - debian/patches/CVE-2021-38185.patch: rewrite dynamic string support
        in src/copyin.c, src/copyout.c, src/copypass.c, src/dstring.c,
        src/dstring.h, src/util.c.
      - debian/patches/CVE-2021-38185.2.patch: don't call ds_resize in a loop
        in src/dstring.c.
      - debian/patches/CVE-2021-38185.3.patch: fix dynamic string
        reallocations in src/dstring.c.
      - CVE-2021-38185
    * Back out CVE-2021-381185 patches for now as they appear to be causing a
      regression when building the kernel
      - debian/patches/CVE-2021-38185.patch: disabled
      - debian/patches/CVE-2021-38185.2.patch: disabled
    * SECURITY UPDATE: arbitrary code execution via crafted pattern file
      - debian/patches/CVE-2021-38185.2.patch: don't call ds_resize in a loop
        in src/dstring.c.
      - CVE-2021-38185
    * SECURITY UPDATE: arbitrary code execution via crafted pattern file
      - debian/patches/CVE-2021-38185.patch: rewrite dynamic string support
        in src/copyin.c, src/copyout.c, src/copypass.c, src/dstring.c,
        src/dstring.h, src/util.c.
      - CVE-2021-38185

  The code changes by the patch series in Ubuntu and Debian are the same.
  The patches are just name differently:

  d/992045-CVE-2021-38185-rewrite-dynamic-string-support u/patches/CVE-2021-38185.patch
  d/992098-regression-of-orig-fix-for-CVE-2021-38185 u/CVE-2021-38185.2.patch
  d/992192-Fix-dynamic-string-reallocations.patch u/patches/CVE-2021-38185.3.patch
  -----BEGIN PGP SIGNATURE-----

  iQIzBAEBCAAdFiEEK7wKXt3/btL6/yA+hO4vgnE3U0sFAmHlU6oACgkQhO4vgnE3
  U0s83g//e0P9zbgAB77m0zHcBpyiAYrIDfaWHGGXOARuRd7T5GXrrYFEo1ldGSqy
  eq9MrcQmFjEjy+0O7AGzmMVoQL0zyjze4OKIEb/8Hv2z9asyscJkI8zkTH7oO+Sg
  GWER6yP66MCOvTCseGMdlrCWng93GAyJbJSOhVFh1t0Pssl3QJ3txPdNU5j6jKwS
  b7NKnAMLvxBUHpftayFMHUtbZ/RpTzJavnQlperzN9W9OBbVccwSWwBJ3rjPoj1D
  LOaXxeuWBDcHi9k7bB/HtDIitkQDvFSqCB0otn14F3I5BUCiM3xqT7kiGZAeP6TP
  jny3IElHXDdepZOjqZ+UTJ0oTldKxRErz3XXWl32gVB0dOUgF7GgSoPSKckCp5hG
  P7f7stsc3Cout+jo88AUEDmsV9GX5kLLGFfC8kGlXnIS9S7lH+yd1xfNd6WmZkyd
  79pZAXZXAO/wrcD+g2U4OaD5a+LPYDxul6aA2l8hykN9OcN5Q+/F/r5DT2Oa4GeV
  vCvpbXrs+WGOPfU50qwofB0lhBScsHZ9Yuga6l3VWBrFnbgT0G1ceYqc5X/ym4is
  fTEBCthtTq7mDVzuSCGe21Ar4TwQtSPhwCu5RRLphmkIREFbFhBLDzSS8wQyyz2V
  OJuv38UGAmhOMajhmt504BBb/ssMf5ItdRX1+imF0MTQrX4YSbg=
  =2bpu
  -----END PGP SIGNATURE-----

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cpio/+bug/1958131/+subscriptions

More information about the Ubuntu-sponsors mailing list