Re: cpio and CVE-2019-14866 for testing
Hi Thank you. I have concluded that the patch only works on amd64, not on i386. I'll contact the maintainer. // Ola On Sun, 3 Nov 2019 at 18:03, Sylvain Beucler wrote: > Hi, > > On 29/10/2019 23:12, Ola Lundqvist wrote: > > Hi LTS contributors > > > > I have built a cpio package with CVE-2019-14866 corrected. > > According to my testing it is no longer possible to reproduce the > > problem reported in this CVE. > > > > You can find the packages I have produced here: > > http://apt.inguza.net/jessie-security/cpio > > > > The (so far rather limited) testing I have done can be found in > > README.testresult > > How to reproduce the problem can be found in the patch. It is easy to > > reproduce the problem on both jessie and wheezy. > > > > The debdiff is found in cpio.debdiff. > > > > Since cpio is a rather crucial package I would like some more people > > to test this package. At least for regression. > > I got contacted by cpio maintainer Sergey Poznyakoff > who told me he was in process of fixing it. > > You could coordinate with him and/or watch the upstream git repo for a > sanctioned patch, which should help with your testing requirements :) > > Cheers! > Sylvain > > -- --- Inguza Technology AB --- MSc in Information Technology | o...@inguza.como...@debian.org| | http://inguza.com/Mobile: +46 (0)70-332 1551 | ---
Re: cpio and CVE-2019-14866 for testing
Hi, On 29/10/2019 23:12, Ola Lundqvist wrote: > Hi LTS contributors > > I have built a cpio package with CVE-2019-14866 corrected. > According to my testing it is no longer possible to reproduce the > problem reported in this CVE. > > You can find the packages I have produced here: > http://apt.inguza.net/jessie-security/cpio > > The (so far rather limited) testing I have done can be found in > README.testresult > How to reproduce the problem can be found in the patch. It is easy to > reproduce the problem on both jessie and wheezy. > > The debdiff is found in cpio.debdiff. > > Since cpio is a rather crucial package I would like some more people > to test this package. At least for regression. I got contacted by cpio maintainer Sergey Poznyakoff who told me he was in process of fixing it. You could coordinate with him and/or watch the upstream git repo for a sanctioned patch, which should help with your testing requirements :) Cheers! Sylvain
cpio and CVE-2019-14866 for testing
Hi LTS contributors I have built a cpio package with CVE-2019-14866 corrected. According to my testing it is no longer possible to reproduce the problem reported in this CVE. You can find the packages I have produced here: http://apt.inguza.net/jessie-security/cpio The (so far rather limited) testing I have done can be found in README.testresult How to reproduce the problem can be found in the patch. It is easy to reproduce the problem on both jessie and wheezy. The debdiff is found in cpio.debdiff. Since cpio is a rather crucial package I would like some more people to test this package. At least for regression. An interesting note is that the patch solved the CVE for jessie, but for some unknown reason it did not solve the problem for wheezy. I have not yet found out why. Best regards // Ola -- --- Inguza Technology AB --- MSc in Information Technology | o...@inguza.como...@debian.org| | http://inguza.com/Mobile: +46 (0)70-332 1551 | ---
