Bug 1300207 (CVE-2016-2037)

Summary: CVE-2016-2037 cpio: out of bounds write
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: carnil, cbuissar, databases-maint, kdudka, mdshaikh, ovasik, praiskup, slawomir, thomas.jarosch, trepik
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-03-17 13:28:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1300208    
Bug Blocks: 1300204    

Description Andrej Nemec 2016-01-20 09:27:56 UTC
An out of bounds write was found in a way cpio parses certain cpio files. A specially crafted file can cause the application to crash.

Original bug report with reproducer:

http://seclists.org/oss-sec/2016/q1/136

Comment 1 Andrej Nemec 2016-01-20 09:28:21 UTC
Created cpio tracking bugs for this issue:

Affects: fedora-all [bug 1300208]

Comment 2 Andrej Nemec 2016-02-12 15:12:34 UTC
Upstream fix:

https://lists.gnu.org/archive/html/bug-cpio/2016-01/msg00005.html

Comment 6 Thomas Jarosch 2016-04-06 11:21:22 UTC
may I ask why this issue was closed as "WONTFIX"?

The cpio version in Fedora 22 and RHEL 7 are affected and are not patched.

According to LWN (lwn.net/Vulnerabilities/675700/), the issue is an out-of-bounds-write.

cpio might be invoked by amavisd-new email content scanner.

Comment 7 Thomas Jarosch 2016-04-06 11:31:19 UTC
alright, so there's a tracking bug for Fedora. Mea culpa.

Still RHEL seems affected, too.

Comment 8 Cedric Buissart 2016-04-07 08:55:29 UTC
It's not uncommon for us to close security issues as WONTFIX if we think that they are not critical enough to warrant an immediate security fix.

If you can provide us with additional information, concerns or further questions, you are welcome to contact us via secalert