Public bug reported: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
affects ubuntu/cpio status new importance wishlist subscribe ubuntu-sponsors done Please sync cpio 2.13+dfsg-7 (main) from Debian sid (main) Explanation of the Ubuntu delta and why it can be dropped: * SECURITY UPDATE: arbitrary code execution via crafted pattern file - debian/patches/CVE-2021-38185.patch: rewrite dynamic string support in src/copyin.c, src/copyout.c, src/copypass.c, src/dstring.c, src/dstring.h, src/util.c. - debian/patches/CVE-2021-38185.2.patch: don't call ds_resize in a loop in src/dstring.c. - debian/patches/CVE-2021-38185.3.patch: fix dynamic string reallocations in src/dstring.c. - CVE-2021-38185 * Back out CVE-2021-381185 patches for now as they appear to be causing a regression when building the kernel - debian/patches/CVE-2021-38185.patch: disabled - debian/patches/CVE-2021-38185.2.patch: disabled * SECURITY UPDATE: arbitrary code execution via crafted pattern file - debian/patches/CVE-2021-38185.2.patch: don't call ds_resize in a loop in src/dstring.c. - CVE-2021-38185 * SECURITY UPDATE: arbitrary code execution via crafted pattern file - debian/patches/CVE-2021-38185.patch: rewrite dynamic string support in src/copyin.c, src/copyout.c, src/copypass.c, src/dstring.c, src/dstring.h, src/util.c. - CVE-2021-38185 The code changes by the patch series in Ubuntu and Debian are the same. The patches are just name differently: d/992045-CVE-2021-38185-rewrite-dynamic-string-support u/patches/CVE-2021-38185.patch d/992098-regression-of-orig-fix-for-CVE-2021-38185 u/CVE-2021-38185.2.patch d/992192-Fix-dynamic-string-reallocations.patch u/patches/CVE-2021-38185.3.patch -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEK7wKXt3/btL6/yA+hO4vgnE3U0sFAmHlU6oACgkQhO4vgnE3 U0s83g//e0P9zbgAB77m0zHcBpyiAYrIDfaWHGGXOARuRd7T5GXrrYFEo1ldGSqy eq9MrcQmFjEjy+0O7AGzmMVoQL0zyjze4OKIEb/8Hv2z9asyscJkI8zkTH7oO+Sg GWER6yP66MCOvTCseGMdlrCWng93GAyJbJSOhVFh1t0Pssl3QJ3txPdNU5j6jKwS b7NKnAMLvxBUHpftayFMHUtbZ/RpTzJavnQlperzN9W9OBbVccwSWwBJ3rjPoj1D LOaXxeuWBDcHi9k7bB/HtDIitkQDvFSqCB0otn14F3I5BUCiM3xqT7kiGZAeP6TP jny3IElHXDdepZOjqZ+UTJ0oTldKxRErz3XXWl32gVB0dOUgF7GgSoPSKckCp5hG P7f7stsc3Cout+jo88AUEDmsV9GX5kLLGFfC8kGlXnIS9S7lH+yd1xfNd6WmZkyd 79pZAXZXAO/wrcD+g2U4OaD5a+LPYDxul6aA2l8hykN9OcN5Q+/F/r5DT2Oa4GeV vCvpbXrs+WGOPfU50qwofB0lhBScsHZ9Yuga6l3VWBrFnbgT0G1ceYqc5X/ym4is fTEBCthtTq7mDVzuSCGe21Ar4TwQtSPhwCu5RRLphmkIREFbFhBLDzSS8wQyyz2V OJuv38UGAmhOMajhmt504BBb/ssMf5ItdRX1+imF0MTQrX4YSbg= =2bpu -----END PGP SIGNATURE----- ** Affects: cpio (Ubuntu) Importance: Wishlist Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1958131 Title: Sync cpio 2.13+dfsg-7 (main) from Debian sid (main) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cpio/+bug/1958131/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs