[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: cpio and CVE-2019-14866 for testing


Thank you. I have concluded that the patch only works on amd64, not on i386.

I'll contact the maintainer.

// Ola

On Sun, 3 Nov 2019 at 18:03, Sylvain Beucler <beuc@beuc.net> wrote:

On 29/10/2019 23:12, Ola Lundqvist wrote:
> Hi LTS contributors
> I have built a cpio package with CVE-2019-14866 corrected.
> According to my testing it is no longer possible to reproduce the
> problem reported in this CVE.
> You can find the packages I have produced here:
> http://apt.inguza.net/jessie-security/cpio
> The (so far rather limited) testing I have done can be found in
> README.testresult
> How to reproduce the problem can be found in the patch. It is easy to
> reproduce the problem on both jessie and wheezy.
> The debdiff is found in cpio.debdiff.
> Since cpio is a rather crucial package I would like some more people
> to test this package. At least for regression.

I got contacted by cpio maintainer Sergey Poznyakoff <gray@gnu.org.ua>
who told me he was in process of fixing it.

You could coordinate with him and/or watch the upstream git repo for a
sanctioned patch, which should help with your testing requirements :)


 --- Inguza Technology AB --- MSc in Information Technology ----
|  ola@inguza.com                    opal@debian.org            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |

Reply to: