[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

cpio and CVE-2019-14866 for testing

Hi LTS contributors

I have built a cpio package with CVE-2019-14866 corrected.
According to my testing it is no longer possible to reproduce the problem reported in this CVE.

You can find the packages I have produced here:

The (so far rather limited) testing I have done can be found in README.testresult
How to reproduce the problem can be found in the patch. It is easy to reproduce the problem on both jessie and wheezy.

The debdiff is found in cpio.debdiff.

Since cpio is a rather crucial package I would like some more people to test this package. At least for regression.

An interesting note is that the patch solved the CVE for jessie, but for some unknown reason it did not solve the problem for wheezy. I have not yet found out why.

Best regards

// Ola

 --- Inguza Technology AB --- MSc in Information Technology ----
|  ola@inguza.com                    opal@debian.org            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |

Reply to: