Re: cpio and CVE-2019-14866 for testing
Hi,
On 29/10/2019 23:12, Ola Lundqvist wrote:
> Hi LTS contributors
>
> I have built a cpio package with CVE-2019-14866 corrected.
> According to my testing it is no longer possible to reproduce the
> problem reported in this CVE.
>
> You can find the packages I have produced here:
> http://apt.inguza.net/jessie-security/cpio
>
> The (so far rather limited) testing I have done can be found in
> README.testresult
> How to reproduce the problem can be found in the patch. It is easy to
> reproduce the problem on both jessie and wheezy.
>
> The debdiff is found in cpio.debdiff.
>
> Since cpio is a rather crucial package I would like some more people
> to test this package. At least for regression.
I got contacted by cpio maintainer Sergey Poznyakoff <gray@gnu.org.ua>
who told me he was in process of fixing it.
You could coordinate with him and/or watch the upstream git repo for a
sanctioned patch, which should help with your testing requirements :)
Cheers!
Sylvain
Reply to: