Re: CVE-2019-14866

To: Sergey Poznyakoff <gray@gnu.org.ua>
Cc: Ola Lundqvist <ola@inguza.com>, Thomas Habets <thomas@habets.se>, cpio@packages.debian.org, 941412@bugs.debian.org, Debian LTS <debian-lts@lists.debian.org>, Debian Extended LTS contributors <extended-lts-team@freexian.com>
Subject: Re: CVE-2019-14866
From: Ola Lundqvist <ola@inguza.com>
Date: Mon, 4 Nov 2019 17:32:06 +0100
Message-id: <[🔎] CABY6=0mwKk+X8rE5pQkEf22S=u9pFz=NnSqcVk2pXwtXg6CJ4g@mail.gmail.com>
In-reply-to: <[🔎] 20191104163347.26596@ulysses.gnu.org.ua>
References: <[🔎] CABY6=0kCsyE6JirONW4ZovBf860tT9=YKugR47V9gaJbGJZEcQ@mail.gmail.com> <[🔎] 20191104163347.26596@ulysses.gnu.org.ua>

Hi Sergey

I can see that the fix is quite different from the one Thomas proposed. Do I understand correctly that this fix go around the problem in a different way? I do not see any explicit value > 0 check. Instead it looks like the fix allows larger file sizes instead of telling that they are not ok. Is that correct?

// Ola

On Mon, 4 Nov 2019 at 15:34, Sergey Poznyakoff <gray@gnu.org.ua> wrote:

Hi Ola & Thomas,

> I have been preparing fixes for CVE-2019-14866 for Debian oldstable

Thank you. The issue has been fixed in commit 7554e3e4 [1].

Regards,
Sergey

[1] http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=7554e3e42cd72f6f8304410c47fe6f8918e9bfd7

--- Inguza Technology AB --- MSc in Information Technology ----

| ola@inguza.com opal@debian.org |

| http://inguza.com/ Mobile: +46 (0)70-332 1551 |

---------------------------------------------------------------

Reply to:

Follow-Ups:
- Re: CVE-2019-14866
  - From: Sergey Poznyakoff <gray@gnu.org.ua>

References:
- CVE-2019-14866
  - From: Ola Lundqvist <ola@inguza.com>
- Re: CVE-2019-14866
  - From: Sergey Poznyakoff <gray@gnu.org.ua>

Prev by Date: Re: CVE-2019-14866
Next by Date: Re: CVE-2019-14866
Previous by thread: Re: CVE-2019-14866
Next by thread: Re: CVE-2019-14866
Index(es):
- Date
- Thread