Re: cpio and CVE-2019-14866 for testing
On 29/10/2019 23:12, Ola Lundqvist wrote:
> Hi LTS contributors
> I have built a cpio package with CVE-2019-14866 corrected.
> According to my testing it is no longer possible to reproduce the
> problem reported in this CVE.
> You can find the packages I have produced here:
> The (so far rather limited) testing I have done can be found in
> How to reproduce the problem can be found in the patch. It is easy to
> reproduce the problem on both jessie and wheezy.
> The debdiff is found in cpio.debdiff.
> Since cpio is a rather crucial package I would like some more people
> to test this package. At least for regression.
I got contacted by cpio maintainer Sergey Poznyakoff <email@example.com>
who told me he was in process of fixing it.
You could coordinate with him and/or watch the upstream git repo for a
sanctioned patch, which should help with your testing requirements :)