Debian Bug report logs -
#1059163
cpio: CVE-2023-7207: Path traversal vulnerability due to partial revert of fix for CVE-2015-1197
Reported by: Ingo Brückl <ib@oddnet.de>
Date: Wed, 20 Dec 2023 19:03:02 UTC
Severity: important
Tags: bookworm, bullseye, security
Found in version cpio/2.13+dfsg-7.1
Fixed in version cpio/2.14+dfsg-1
Done: Anibal Monsalve Salazar <anibal@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>:
Bug#1059163; Package cpio.
(Wed, 20 Dec 2023 19:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Ingo Brückl <ib@oddnet.de>:
New Bug report received and forwarded. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>.
(Wed, 20 Dec 2023 19:03:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: cpio
Version: 2.13+dfsg-7.1
Severity: grave
The patch "revert-CVE-2015-1197-handling" (to close bugs #946267 and #946469)
re-enables path traversal vulnerability with maliciously crafted cpio archives.
Added tag(s) security.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 20 Dec 2023 20:09:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>:
Bug#1059163; Package cpio.
(Fri, 22 Dec 2023 02:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Aníbal Monsalve Salazar <anibal@debian.org>:
Extra info received and forwarded to list. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>.
(Fri, 22 Dec 2023 02:45:03 GMT) (full text, mbox, link).
Message #12 received at 1059163@bugs.debian.org (full text, mbox, reply):
On Wed, 2023-12-20 19:55:30 +0100, Ingo Brückl wrote:
> Package: cpio
> Version: 2.13+dfsg-7.1
> Severity: grave
>
> The patch "revert-CVE-2015-1197-handling" (to close bugs #946267 and #946469)
> re-enables path traversal vulnerability with maliciously crafted cpio archives.
Hello Ingo,
I have been working on a new Debian version of cpio for the last couple
of days. I hope to upload it today. I will appreciate it very much if
you could give it a try after uploading it.
Thank you for your previous messages related to this security
vulnerability.
I will send those messages to Salvatore.
Kind regards,
Aníbal
Reply sent
to Anibal Monsalve Salazar <anibal@debian.org>:
You have taken responsibility.
(Fri, 22 Dec 2023 06:21:04 GMT) (full text, mbox, link).
Notification sent
to Ingo Brückl <ib@oddnet.de>:
Bug acknowledged by developer.
(Fri, 22 Dec 2023 06:21:04 GMT) (full text, mbox, link).
Message #17 received at 1059163-close@bugs.debian.org (full text, mbox, reply):
Source: cpio
Source-Version: 2.14+dfsg-1
Done: Anibal Monsalve Salazar <anibal@debian.org>
We believe that the bug you reported is fixed in the latest version of
cpio, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1059163@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Anibal Monsalve Salazar <anibal@debian.org> (supplier of updated cpio package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 22 Dec 2023 16:38:54 +1100
Source: cpio
Architecture: source
Version: 2.14+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Anibal Monsalve Salazar <anibal@debian.org>
Changed-By: Anibal Monsalve Salazar <anibal@debian.org>
Closes: 925021 1049402 1059163 1059238
Changes:
cpio (2.14+dfsg-1) unstable; urgency=medium
.
* New upstream release
Closes: #1049402
Noteworthy changes in this release:
- New option --ignore-dirnlink
Valid in copy-out mode, it instructs cpio to ignore the actual number
of links reported for each directory member and always store 2
instead.
- Changes in --reproducible option
The --reproducible option implies --ignore-dirlink. In other words,
it is equivalent to --ignore-devno --ignore-dirnlink --renumber-inodes.
- Use GNU ls algorithm for deciding timestamp format in -tv mode
- Bugfixes
- Fix cpio header verification.
- Fix handling of device numbers on copy out.
- Fix calculation of CRC in copy-out mode.
- Rewrite the fix for CVE-2015-1197.
- Fix combination of --create --append --directory.
- Fix appending to archives bigger than 2G.
* Update uploaders list
Closes: #925021
* Standards-Version: 4.6.2
* Fix Path traversal vulnerability due to partial revert of fix for CVE-2015-1197
Closes: #1059163
* cpio-win32 is no longer needed
Closes: #1059238
Checksums-Sha1:
eb78be01c0a20b510407d20c8b6271aafa6359b8 1906 cpio_2.14+dfsg-1.dsc
c07f9046d70b4d83f873138bb7561e7b218ce6b9 1515680 cpio_2.14+dfsg.orig.tar.bz2
9336fac43abbb385ffc8637c67120a90e508ec0d 15096 cpio_2.14+dfsg-1.debian.tar.xz
0b09f929fb782060d6594b90aa49d8d7326bebd5 5582 cpio_2.14+dfsg-1_amd64.buildinfo
Checksums-Sha256:
1317473ea3b00cebce77af6ed954f98088087a460aa7a804c87c5def78b990a3 1906 cpio_2.14+dfsg-1.dsc
a45e1c39445fe663e0184d4d72b9f3d5f7ca273e875ce1992fafe49babff592c 1515680 cpio_2.14+dfsg.orig.tar.bz2
345cacb20aa4407f5db41ce9ea47c53a0304db8cec7031536f033bc1c44ac957 15096 cpio_2.14+dfsg-1.debian.tar.xz
d3468c3b3527726a39db610cd94eecd15c718cd96e9c9f46251ea9cdce4f6273 5582 cpio_2.14+dfsg-1_amd64.buildinfo
Files:
24196598763567c4564a0444d0f4863e 1906 utils important cpio_2.14+dfsg-1.dsc
a13f5918ce2580c1da5ea98dd8b34722 1515680 utils important cpio_2.14+dfsg.orig.tar.bz2
33392e3b8e3a8d5acf3ef044ef2ace1c 15096 utils important cpio_2.14+dfsg-1.debian.tar.xz
75094246fbcf85ac90766840c2d36711 5582 utils important cpio_2.14+dfsg-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEExgRcgTiHt3wt/5elfFas/pR4l9gFAmWFIcUACgkQfFas/pR4
l9hmTQ//SNNwjdHybVL6YDzuOy4I0mfLiWzu22NJyl6LrkpX5fhvL6RKKAN8gkSE
OuT/WE3HnXF4Yi/zyYxdzCHAJMrRNzIq9gGU77trgMGiFRrL/oLvAZt02a4TfwkE
ZvnWjpgws/jw3hQRik0SMK0u60G+IVDWjSu3EeJWaQudw6ssdOKpc+OBFTQpXwYI
2W6NhXTEMpKIPChUXLevHlPJOf9XvA8CA/NxRyGpAUt9d0miubE4qjLGVo617Jv7
CXoy/vACeK47nd4POYaSXqqo2M96btqc8AKPMkdk9/ZlHR9PEor0GWVCatXyXckK
7oWBoUdCuwsMu3mRukDd+sPNyIdtvakLzdRLn5VzeWviqVSRmn1PZDYWA74S37Ur
QQe8G8V3kdr33vkTrQV3feFcYnH1v0zupMb9lqCCuiVdXmgK0AbBUwdtrgvYH9M4
0EGm13k1pvLH2EU7cHVV1kArGgTqXKcQ1ewyoCYLo4+8THTUPaa7VeQQtuzLycCC
U1UPs+YRLt+3TdltOpXdq0kO8xYPCKriy8cArpvpVzwc62DVR8cF6kPro0b8OJzA
4sEoyKsNSafRoRn6McNfmydQEs0wPIeCe4t7TKTX55NKSyEy/10jKJtDXjCstKNg
NSpQkefjoaPMKsnxUzu/t2OI9CTcNEz/0DFoRqQOXt1Rbl3yYrc=
=yVvG
-----END PGP SIGNATURE-----
Severity set to 'important' from 'grave'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 22 Dec 2023 06:24:02 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>:
Bug#1059163; Package cpio.
(Fri, 22 Dec 2023 07:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>.
(Fri, 22 Dec 2023 07:45:03 GMT) (full text, mbox, link).
Message #24 received at 1059163@bugs.debian.org (full text, mbox, reply):
Hi Anibal,
On Fri, Dec 22, 2023 at 06:21:04AM +0000, Debian Bug Tracking System wrote:
> cpio (2.14+dfsg-1) unstable; urgency=medium
> .
> * New upstream release
> Closes: #1049402
> Noteworthy changes in this release:
> - New option --ignore-dirnlink
> Valid in copy-out mode, it instructs cpio to ignore the actual number
> of links reported for each directory member and always store 2
> instead.
> - Changes in --reproducible option
> The --reproducible option implies --ignore-dirlink. In other words,
> it is equivalent to --ignore-devno --ignore-dirnlink --renumber-inodes.
> - Use GNU ls algorithm for deciding timestamp format in -tv mode
> - Bugfixes
> - Fix cpio header verification.
> - Fix handling of device numbers on copy out.
> - Fix calculation of CRC in copy-out mode.
> - Rewrite the fix for CVE-2015-1197.
> - Fix combination of --create --append --directory.
> - Fix appending to archives bigger than 2G.
> * Update uploaders list
> Closes: #925021
> * Standards-Version: 4.6.2
> * Fix Path traversal vulnerability due to partial revert of fix for CVE-2015-1197
> Closes: #1059163
Thanks for this upload to unstable. Can you check if the upstream
redone changes for CVE-2015-1197 are backportable, and if so can you
address the issue in the upcoming point releases for bookworm and
bullseye?
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#1059163; Package cpio.
(Fri, 22 Dec 2023 09:51:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Anibal Monsalve Salazar <anibal@debian.org>:
Extra info received and forwarded to list.
(Fri, 22 Dec 2023 09:51:03 GMT) (full text, mbox, link).
Message #29 received at 1059163@bugs.debian.org (full text, mbox, reply):
On Fri, 2023-12-22 08:42:46 +0100, Salvatore Bonaccorso wrote:
> Hi Anibal,
>
> On Fri, Dec 22, 2023 at 06:21:04AM +0000, Debian Bug Tracking System wrote:
> > cpio (2.14+dfsg-1) unstable; urgency=medium
> > .
> > * New upstream release
> > Closes: #1049402
> > Noteworthy changes in this release:
> > - New option --ignore-dirnlink
> > Valid in copy-out mode, it instructs cpio to ignore the actual number
> > of links reported for each directory member and always store 2
> > instead.
> > - Changes in --reproducible option
> > The --reproducible option implies --ignore-dirlink. In other words,
> > it is equivalent to --ignore-devno --ignore-dirnlink --renumber-inodes.
> > - Use GNU ls algorithm for deciding timestamp format in -tv mode
> > - Bugfixes
> > - Fix cpio header verification.
> > - Fix handling of device numbers on copy out.
> > - Fix calculation of CRC in copy-out mode.
> > - Rewrite the fix for CVE-2015-1197.
> > - Fix combination of --create --append --directory.
> > - Fix appending to archives bigger than 2G.
> > * Update uploaders list
> > Closes: #925021
> > * Standards-Version: 4.6.2
> > * Fix Path traversal vulnerability due to partial revert of fix for CVE-2015-1197
> > Closes: #1059163
>
> Thanks for this upload to unstable. Can you check if the upstream
> redone changes for CVE-2015-1197 are backportable, and if so can you
> address the issue in the upcoming point releases for bookworm and
> bullseye?
>
> Regards,
> Salvatore
Sure.
The commit in question is at:
https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=376d663340a9dc91c91a5849e5713f07571c1628
Information forwarded
to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>:
Bug#1059163; Package cpio.
(Sat, 23 Dec 2023 08:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>.
(Sat, 23 Dec 2023 08:03:03 GMT) (full text, mbox, link).
Message #34 received at 1059163@bugs.debian.org (full text, mbox, reply):
Hi Anibal,
On Fri, Dec 22, 2023 at 08:46:19PM +1100, Anibal Monsalve Salazar wrote:
> On Fri, 2023-12-22 08:42:46 +0100, Salvatore Bonaccorso wrote:
> > Hi Anibal,
> >
> > On Fri, Dec 22, 2023 at 06:21:04AM +0000, Debian Bug Tracking System wrote:
> > > cpio (2.14+dfsg-1) unstable; urgency=medium
> > > .
> > > * New upstream release
> > > Closes: #1049402
> > > Noteworthy changes in this release:
> > > - New option --ignore-dirnlink
> > > Valid in copy-out mode, it instructs cpio to ignore the actual number
> > > of links reported for each directory member and always store 2
> > > instead.
> > > - Changes in --reproducible option
> > > The --reproducible option implies --ignore-dirlink. In other words,
> > > it is equivalent to --ignore-devno --ignore-dirnlink --renumber-inodes.
> > > - Use GNU ls algorithm for deciding timestamp format in -tv mode
> > > - Bugfixes
> > > - Fix cpio header verification.
> > > - Fix handling of device numbers on copy out.
> > > - Fix calculation of CRC in copy-out mode.
> > > - Rewrite the fix for CVE-2015-1197.
> > > - Fix combination of --create --append --directory.
> > > - Fix appending to archives bigger than 2G.
> > > * Update uploaders list
> > > Closes: #925021
> > > * Standards-Version: 4.6.2
> > > * Fix Path traversal vulnerability due to partial revert of fix for CVE-2015-1197
> > > Closes: #1059163
> >
> > Thanks for this upload to unstable. Can you check if the upstream
> > redone changes for CVE-2015-1197 are backportable, and if so can you
> > address the issue in the upcoming point releases for bookworm and
> > bullseye?
> >
> > Regards,
> > Salvatore
>
> Sure.
>
> The commit in question is at:
>
> https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=376d663340a9dc91c91a5849e5713f07571c1628
Great, thanks a lot.
I have added the above as well for reference in the security-tracker.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>:
Bug#1059163; Package cpio.
(Wed, 27 Dec 2023 11:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Ingo Brückl <ib@oddnet.de>:
Extra info received and forwarded to list. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>.
(Wed, 27 Dec 2023 11:03:04 GMT) (full text, mbox, link).
Message #39 received at 1059163@bugs.debian.org (full text, mbox, reply):
On Fri, 22 Dec 2023 13:43:18 +1100, Aníbal Monsalve Salazar wrote:
> I have been working on a new Debian version of cpio for the last couple
> of days. I hope to upload it today. I will appreciate it very much if
> you could give it a try after uploading it.
It looks good to me.
Regards,
Ingo
Information forwarded
to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>:
Bug#1059163; Package cpio.
(Fri, 05 Jan 2024 02:12:13 GMT) (full text, mbox, link).
Acknowledgement sent
to Mark Esler <mark.esler@canonical.com>:
Extra info received and forwarded to list. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>.
(Fri, 05 Jan 2024 02:12:13 GMT) (full text, mbox, link).
Message #44 received at 1059163@bugs.debian.org (full text, mbox, reply):
Please refer to this path traversal vulnerability as CVE-2023-7207.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-7207
Information forwarded
to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>:
Bug#1059163; Package cpio.
(Fri, 05 Jan 2024 06:09:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>.
(Fri, 05 Jan 2024 06:09:02 GMT) (full text, mbox, link).
Message #49 received at 1059163@bugs.debian.org (full text, mbox, reply):
Control: retitle -1 cpio: CVE-2023-7207: Path traversal vulnerability due to partial revert of fix for CVE-2015-1197
On Thu, Jan 04, 2024 at 08:01:18PM -0600, Mark Esler wrote:
> Please refer to this path traversal vulnerability as CVE-2023-7207.
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-7207
Thanks Mark. Added it as such to our tracker.
Anibal, the dates are not fixed yet, but the point releases are
exepcted around beginning of february.
Regards,
Salvatore
Changed Bug title to 'cpio: CVE-2023-7207: Path traversal vulnerability due to partial revert of fix for CVE-2015-1197' from 'cpio: Path traversal vulnerability'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 1059163-submit@bugs.debian.org.
(Fri, 05 Jan 2024 06:09:03 GMT) (full text, mbox, link).
Added tag(s) bullseye and bookworm.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 05 Jan 2024 06:27:06 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri Aug 2 04:14:40 2024;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.