This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of Fedora. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions of Fedora. While only one tracking bug has been filed, please correct all affected versions at the same time. If you need to fix the versions independent of each other, you may clone this bug as appropriate. [bug automatically created by: add-tracking-bugs]
Use the following template to for the 'fedpkg update' request to submit an update for this issue as it contains the top-level parent bug(s) as well as this tracking bug. This will ensure that all associated bugs get updated when new packages are pushed to stable. ===== # bugfix, security, enhancement, newpackage (required) type=security # testing, stable request=testing # Bug numbers: 1234,9876 bugs=1179773,1188590 # Description of your update notes=Security fix for CVE-2015-1197 # Enable request automation based on the stable/unstable karma thresholds autokarma=True stable_karma=3 unstable_karma=-3 # Automatically close bugs when this marked as stable close_bugs=True # Suggest that users restart after update suggest_reboot=False ====== Additionally, you may opt to use the bodhi update submission link instead: https://admin.fedoraproject.org/updates/new/?type_=security&bugs=1179773,1188590
Upstream thread, however no patch applied not even discussed upstream: http://lists.gnu.org/archive/html/bug-cpio/2015-01/msg00000.html
Cedric tried to propose a fix, but no upstream response (I'm still waiting for upstream patch): https://www.mail-archive.com/bug-cpio@gnu.org/msg00590.html https://www.mail-archive.com/bug-cpio@gnu.org/msg00614.html
Fix for this applied in Rawhide (and F32 now that it is branched): https://src.fedoraproject.org/rpms/cpio/c/63079c346586abcdf9326a8df8059a0081efee5e?branch=master However, this seems to have resulted in bug 1797163 ... Upstream is pretty silent on the matter, only recommending to revert the fix for CVE-2015-1197 (in 45b0ee2b407913c533f7ded8d6f8cbeec16ff6ca).
Reverted in rawhide while waiting for new upstream fix. https://src.fedoraproject.org/rpms/cpio/c/29b1706544c1013181757c85d64c6e49cea95681?branch=master Discussion in bug 1797163
Petr, looking into the bug 1797163, it looks like it's fixed, also the CVEs listed in the blocks list are resolved. Do you think we can close this BZ, or you track something else in here?
Hi Lukas, bug 1797163 is closed, but that was thanks to the revert we did for this CVE. I do not think this CVE is yet fixed in Fedora, unless there was some rebase done recently. You would have to check for the status upstream.
Setting needinfo for the question in comment #7.
Thank you for the details. I've looked into the upstream repository and don't see anything suggesting it's fixed. Just to be sure, I've sent an email to the cpio upstream developers to find out if there is some fix for this CVE or it's not. I'll post any update I get here.
I got a response from the upstream. The CVE should be fixed by: http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=376d663340a9dc91c91a5849e5713f07571c1628
Both of the CVEs are now fixed in the new cpio-2.14 version. The Fedora Rawhide cpio-2.14 package is now in the stable repository.