GNU cpio through 2.13 allows attackers to execute arbitrary code via a
crafted pattern file, because of a dstring.c ds_fgetstr integer overflow
that triggers an out-of-bounds heap write. NOTE: it is unclear whether
there are common cases where the pattern file, associated with the -E
option, is untrusted data.
Author | Note |
---|---|
mdeslaur | second commit fixes a regression. There seems to still be a regression even with the second commit as it is causing the kernel to FTBFS. Also see debian bugs for regressions. the third commit likely fixes the kernel regressions |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | cpio | < 2.12+dfsg-6ubuntu0.18.04.4 | UNKNOWN |
ubuntu | 20.04 | noarch | cpio | < 2.13+dfsg-2ubuntu0.3 | UNKNOWN |
ubuntu | 21.04 | noarch | cpio | < 2.13+dfsg-4ubuntu0.3 | UNKNOWN |
ubuntu | 21.10 | noarch | cpio | < 2.13+dfsg-4ubuntu4 | UNKNOWN |
ubuntu | 22.04 | noarch | cpio | < 2.13+dfsg-4ubuntu4 | UNKNOWN |
ubuntu | 22.10 | noarch | cpio | < 2.13+dfsg-4ubuntu4 | UNKNOWN |
ubuntu | 23.04 | noarch | cpio | < 2.13+dfsg-4ubuntu4 | UNKNOWN |
ubuntu | 14.04 | noarch | cpio | < 2.11+dfsg-1ubuntu1.2+esm2) Available with Ubuntu Pro or Ubuntu Pro (Infra-only | UNKNOWN |
ubuntu | 16.04 | noarch | cpio | < 2.11+dfsg-5ubuntu1.1+esm1) Available with Ubuntu Pro or Ubuntu Pro (Infra-only | UNKNOWN |
github.com/fangqyi/cpiopwn
launchpad.net/bugs/cve/CVE-2021-38185
lists.gnu.org/archive/html/bug-cpio/2021-08/msg00000.html
lists.gnu.org/archive/html/bug-cpio/2021-08/msg00002.html
nvd.nist.gov/vuln/detail/CVE-2021-38185
security-tracker.debian.org/tracker/CVE-2021-38185
ubuntu.com/security/notices/USN-5064-1
ubuntu.com/security/notices/USN-5064-2
ubuntu.com/security/notices/USN-5064-3
www.cve.org/CVERecord?id=CVE-2021-38185