On Fri, 2023-12-22 08:42:46 +0100, Salvatore Bonaccorso wrote: > Hi Anibal, > > On Fri, Dec 22, 2023 at 06:21:04AM +0000, Debian Bug Tracking System wrote: > > cpio (2.14+dfsg-1) unstable; urgency=medium > > . > > * New upstream release > > Closes: #1049402 > > Noteworthy changes in this release: > > - New option --ignore-dirnlink > > Valid in copy-out mode, it instructs cpio to ignore the actual number > > of links reported for each directory member and always store 2 > > instead. > > - Changes in --reproducible option > > The --reproducible option implies --ignore-dirlink. In other words, > > it is equivalent to --ignore-devno --ignore-dirnlink > > --renumber-inodes. > > - Use GNU ls algorithm for deciding timestamp format in -tv mode > > - Bugfixes > > - Fix cpio header verification. > > - Fix handling of device numbers on copy out. > > - Fix calculation of CRC in copy-out mode. > > - Rewrite the fix for CVE-2015-1197. > > - Fix combination of --create --append --directory. > > - Fix appending to archives bigger than 2G. > > * Update uploaders list > > Closes: #925021 > > * Standards-Version: 4.6.2 > > * Fix Path traversal vulnerability due to partial revert of fix for > > CVE-2015-1197 > > Closes: #1059163 > > Thanks for this upload to unstable. Can you check if the upstream > redone changes for CVE-2015-1197 are backportable, and if so can you > address the issue in the upcoming point releases for bookworm and > bullseye? > > Regards, > Salvatore
Sure. The commit in question is at: https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=376d663340a9dc91c91a5849e5713f07571c1628