A heap-based buffer overflow flaw was reported in cpio's list_file() function. Attempting to extract a malicious cpio archive could cause cpio to crash or, potentially, execute arbitrary code. As noted in the original report, this issue could be trigger via other utilities, such as when running "less". A patch is not yet available. Original report: http://seclists.org/fulldisclosure/2014/Nov/74
Created cpio tracking bugs for this issue: Affects: fedora-all [bug 1167573]
CVE request: http://www.openwall.com/lists/oss-security/2014/11/25/2
MITRE assigned CVE-2014-9112 to this issue: http://www.openwall.com/lists/oss-security/2014/11/26/20
Upstream commits (all are needed): http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=746f3ff6 http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=54d1c42a http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=58df4f1b
There appear to be issues with the fix on i*86. As I wrote in the F20 update candidate on admin.fedoraproject.org: Testing the i686 package on Fedora 20 with the PoC: http://lcamtuf.coredump.cx/afl/vulns/lesspipe-cpio-bad-write.cpio With cpio-2.11-24.fc20 it actually does not segfault, but with cpio-2.11-28.fc20 it does, which is the opposite of what was supposed to happen. Also, I've added the same patches that Fedora has for this update in the Mageia cpio package. Our bug is here: https://bugs.mageia.org/show_bug.cgi?id=14765 As you can see, one of our QA members confirmed the vulnerability and fix on x86_64, but when I tested on i586, it segfaults both before and after the update. However, the package does have "make check" enabled, which passed when the package was built, so there may be something that was in the PoC that's missing from what has been added to the upstream testsuite in these patches.
David, thanks for catching this and letting us know! I have reported that issue upstream [1]. The remaining issue does not seem to be security anymore, and, for correct archives does not hurt (note that the tested cpio archive is broken intentionally, so the segfault is not _so bad_ now). If there is no disagreement, I would treat this as a separate issue/bug. [1] http://www.mail-archive.com/bug-cpio@gnu.org/msg00507.html Pavel
Thanks Pavel! I've synced the upstream changes: http://svnweb.mageia.org/packages?view=revision&revision=802713 It's working fine with the PoC now.
cpio-2.11-33.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
cpio-2.11-28.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:2108 https://rhn.redhat.com/errata/RHSA-2015-2108.html