projects / buildroot.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 6fdac7f) | patch
package/cpio: fix CVE-2021-38185
authorFabrice Fontaine <fontaine.fabrice@gmail.com>
Thu, 19 Aug 2021 21:46:09 +0000 (23:46 +0200)
committerYann E. MORIN <yann.morin.1998@free.fr>
Fri, 20 Aug 2021 08:08:22 +0000 (10:08 +0200)
commit89857df2d1233f60ca7702b387d8e2a17e125d23
tree18b310c151ebeddf734c30a9ef2712bdb5e825d5tree
parent6fdac7fd193507789b568d5e6839e6d100edbf26commit | diff
package/cpio: fix CVE-2021-38185

GNU cpio through 2.13 allows attackers to execute arbitrary code via a
crafted pattern file, because of a dstring.c ds_fgetstr integer overflow
that triggers an out-of-bounds heap write. NOTE: it is unclear whether
there are common cases where the pattern file, associated with the -E
option, is untrusted data.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
package/cpio/0002-Rewrite-dynamic-string-support.patch [new file with mode: 0644] blob
package/cpio/0003-Fix-previous-commit.patch [new file with mode: 0644] blob
package/cpio/cpio.mk diff | blob | history