Hi
Ok, thank you. Then I'll use the version Thomas used for Debian old and
oldold stable. I'll use that as I have tested it already and it is easier
to read for someone wanting to compare the difference compared to an older
version.
Best regards
// Ola
On Mon, 4 Nov 2019 at 21:25, Sergey
Hi Ola,
> Hi Sergey
>
> I can see that the fix is quite different from the one Thomas proposed. Do
> I understand correctly that this fix go around the problem in a different
> way?
Not quite so. It takes basically the same approach as the fix Thomas
proposed, but also removes unnecessary code
Hi Sergey
I can see that the fix is quite different from the one Thomas proposed. Do
I understand correctly that this fix go around the problem in a different
way? I do not see any explicit value > 0 check. Instead it looks like the
fix allows larger file sizes instead of telling that they are
Hi Ola & Thomas,
> I have been preparing fixes for CVE-2019-14866 for Debian oldstable
Thank you. The issue has been fixed in commit 7554e3e4 [1].
Regards,
Sergey
[1]
http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=7554e3e42cd72f6f8304410c47fe6f8918e9bfd7
On Mon, 4 Nov 2019 07:10:31 +, Ola Lundqvist said:
> I think the reason for this is that a long is 32 bit on i386 while it is 64
> bits on amd64.
>
> The fix is very simple. Change the "long" to a "long long" in
> to_out_or_error.
Good catch.
Yeah, the fix looks good to me.
--
typedef
Hi again
The new patch can be found here:
http://apt.inguza.net/wheezy-security/cpio/CVE-2019-14866.patch
It is not perfectly properly documented since it refers to a commit that do
not contain it all. But I think you get the point anyway.
// Ola
On Mon, 4 Nov 2019 at 08:10, Ola Lundqvist
Hi Sergey, Thomas and cpio Debian maintainers
I have been preparing fixes for CVE-2019-14866 for Debian oldstable and
oldoldstable. While doing that I realized that the patch mentioned here (1)
do work for amd64 but do not work for i386.
I was able to build on both amd64 and i386 but the fix
7 matches
Mail list logo
