Re: CVE-2019-14866

[Ola Lundqvist <ola@inguza.com>]

Hi again

The new patch can be found here:

http://apt.inguza.net/wheezy-security/cpio/CVE-2019-14866.patch

It is not perfectly properly documented since it refers to a commit that do not contain it all. But I think you get the point anyway.

// Ola

On Mon, 4 Nov 2019 at 08:10, Ola Lundqvist <ola@inguza.com> wrote:

Hi Sergey, Thomas and cpio Debian maintainers

I have been preparing fixes for CVE-2019-14866 for Debian oldstable and oldoldstable. While doing that I realized that the patch mentioned here (1) do work for amd64 but do not work for i386.

I was able to build on both amd64 and i386 but the fix obviously did not work on i386 since I could reproduce the problem.

I think the reason for this is that a long is 32 bit on i386 while it is 64 bits on amd64.

(1) https://lists.gnu.org/archive/html/bug-cpio/2019-08/msg00003.html  

The fix is very simple. Change the "long" to a "long long" in to_out_or_error.

With that correction it works when I build and test on i386.

Please let me know what you think. I'm going to upload a fixed package to debian old and oldold stable tomorrow.

Best regards

// Ola

--

 --- Inguza Technology AB --- MSc in Information Technology ----

|  ola@inguza.com                    opal@debian.org            |

|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |

 ---------------------------------------------------------------

--

 --- Inguza Technology AB --- MSc in Information Technology ----

|  ola@inguza.com                    opal@debian.org            |

|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |

 ---------------------------------------------------------------