cpio: CVE-2014-9112

Debian Bug report logs - #772793
cpio: CVE-2014-9112

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: cpio: CVE-2014-9112

Date: Thu, 11 Dec 2014 07:15:17 +0100

Package: cpio
Severity: grave
Tags: security

Hi,
please see http://seclists.org/fulldisclosure/2014/Nov/74
for the original report.

Patches:
http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=746f3ff6
http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=54d1c42a
http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=58df4f1b

Cheers,
        Moritz

Message #12 received at 772793@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Moritz Muehlenhoff <jmm@inutil.org>, 772793@bugs.debian.org

Subject: Re: Bug#772793: cpio: CVE-2014-9112

Date: Fri, 12 Dec 2014 10:41:50 +0100

Hi,

On Thu, Dec 11, 2014 at 07:15:17AM +0100, Moritz Muehlenhoff wrote:
> Package: cpio
> Severity: grave
> Tags: security
> 
> Hi,
> please see http://seclists.org/fulldisclosure/2014/Nov/74
> for the original report.
> 
> Patches:
> http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=746f3ff6
> http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=54d1c42a
> http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=58df4f1b

There seem to be additional issues with the fix for i386:
https://bugzilla.redhat.com/show_bug.cgi?id=1167571#c9 (not verified
by myself, just noticed in Red Hat's Bugzilla).

Regards,
Salvatore

Message #17 received at 772793-close@bugs.debian.org (full text, mbox, reply):

From: Anibal Monsalve Salazar <anibal@debian.org>

To: 772793-close@bugs.debian.org

Subject: Bug#772793: fixed in cpio 2.11+dfsg-3

Date: Fri, 12 Dec 2014 12:03:55 +0000

Source: cpio
Source-Version: 2.11+dfsg-3

We believe that the bug you reported is fixed in the latest version of
cpio, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 772793@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Anibal Monsalve Salazar <anibal@debian.org> (supplier of updated cpio package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 12 Dec 2014 10:41:11 +0000
Source: cpio
Binary: cpio cpio-win32
Architecture: source all amd64
Version: 2.11+dfsg-3
Distribution: experimental
Urgency: medium
Maintainer: Anibal Monsalve Salazar <anibal@debian.org>
Changed-By: Anibal Monsalve Salazar <anibal@debian.org>
Description:
 cpio       - GNU cpio -- a program to manage archives of files
 cpio-win32 - GNU cpio -- a program to manage archives of files (win32 build)
Closes: 772793
Changes:
 cpio (2.11+dfsg-3) experimental; urgency=medium
 .
   * Use default compression source options
   * Fix CVE-2014-9112.
     Add the following upstream patches:
     746f3ff6.patch
     54d1c42a.patch
     58df4f1b.patch
     Closes: #772793.
Checksums-Sha1:
 5610347122d510148148786b715c6f7a154bb314 1843 cpio_2.11+dfsg-3.dsc
 4b63f960fd7149626d835c50ababe7006880a94e 16292 cpio_2.11+dfsg-3.debian.tar.xz
 4ede4beabb6d8dd00ef39eff9039cefef750e956 59188 cpio-win32_2.11+dfsg-3_all.deb
 cb5612f474a44e084c3336b509799e2da010dc0d 176734 cpio_2.11+dfsg-3_amd64.deb
Checksums-Sha256:
 e53d6b7c4bcd9fdcd9a7757df7f32072534ab1cbb4dbe5b9ff474b6f34359897 1843 cpio_2.11+dfsg-3.dsc
 09d5625310f658c43fdac4e711487ae8231c8440a2712d579e13ce31acd4191d 16292 cpio_2.11+dfsg-3.debian.tar.xz
 35286732ff616fa593a05a7934bd36767625b6059f3c226063b826bbc664db9f 59188 cpio-win32_2.11+dfsg-3_all.deb
 394c1dcda55b1fdb48769fa6cdb8170c09e43eb0627d7b0c831e9d201b90d567 176734 cpio_2.11+dfsg-3_amd64.deb
Files:
 2e877a6d2e777230aff07a6a25cbd225 1843 utils important cpio_2.11+dfsg-3.dsc
 d7bb399213a463e77bde5e7e8e4567c0 16292 utils important cpio_2.11+dfsg-3.debian.tar.xz
 f06b2f12ba409dcf438adfbcddceeb04 59188 utils extra cpio-win32_2.11+dfsg-3_all.deb
 c2399c907e8c5c9ee02d1b109a968493 176734 utils important cpio_2.11+dfsg-3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJUiteZAAoJEHxWrP6UeJfYqr8P/0rfmkXpuNVVSsN+BNGceUiA
0aQsRCWWZ1ofAiEUbfBZoEojJhiqwmPY3Qfn/xpAahcIL7XZn1A9NJXadPQ1VSNv
yw/rIwCUjJ5lKmIEOFftahNQUUxldU7cM3uQ9NWIXa+1Q/sERTsi2ykYKfcociWg
O/vbOu0gBjQtWZ4cqzTuDSqmZbuQWaaLfEUHjetACMiCj2lVFSck30V2lotXY5ZX
PLjyU6QqnJQs1PpGDYFsPccmy2IDBTh54oQsmU1BfsUXuADajjBkMMfaTbnxXfVF
2dzoisGVgDm9zc4oG4nUgKPhfIpz411AcmIQrpz+OjvDungVN72DenuD8/EkStLQ
rrVzqIoLVgGvS7c4NJsTBwz7KOtpmVr4ARqGtvSmH4IDq4ZObf1A1h7P//dnEjD5
NaC8g3ZY5qguXpzmRcpJB4A2iLMjgz76EPDwbh45B/1EUC0ox7coSQVEZa4e29zY
DkOykVeHBZuYqByIJtoAxpjLTRlM9uNIz5ChXUneKV2DK9HnQVr90rTS3kyxp//E
vsq/nHyh7R9sRPDSVYXmVRSVFmdHP4nsDdI3en1DIPfGX85xNxPWwBeMGGjKt6eB
GnekJDzAd+393gBV/uugtcUZ47+nsN1BPyWfDL8r7Bwgj9LDj08U5pYVVH4itY69
D7zmtFtFCDJyWj1o/Akp
=+2C4
-----END PGP SIGNATURE-----

Message #22 received at 772793@bugs.debian.org (full text, mbox, reply):

From: Aníbal Monsalve Salazar <anibal@debian.org>

To: debian-devel@lists.debian.org

Cc: Moritz Muehlenhoff <jmm@inutil.org>, Salvatore Bonaccorso <carnil@debian.org>, 772793@bugs.debian.org

Subject: Re: Bug#772793: cpio: CVE-2014-9112

Date: Fri, 12 Dec 2014 23:16:09 +1100

[Message part 1 (text/plain, inline)]

On Fri, 2014-12-12 10:41:50 +0100, Salvatore Bonaccorso wrote:
> Hi,
> 
> On Thu, Dec 11, 2014 at 07:15:17AM +0100, Moritz Muehlenhoff wrote:
>> Package: cpio
>> Severity: grave
>> Tags: security
>> 
>> Hi,
>> please see http://seclists.org/fulldisclosure/2014/Nov/74
>> for the original report.
>> 
>> Patches:
>> http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=746f3ff6
>> http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=54d1c42a
>> http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=58df4f1b
> 
> There seem to be additional issues with the fix for i386:
> https://bugzilla.redhat.com/show_bug.cgi?id=1167571#c9 (not verified
> by myself, just noticed in Red Hat's Bugzilla).
> 
> Regards,
> Salvatore

Dear debian-devel,

I uploaded cpio 2.11+dfsg-3 to experimental with the upstream patches
listed above. Please test it. It didn't segfault when I run it on amd64
as reported in Red Hat's Bugzilla.

Thank you,

Aníbal

[signature.asc (application/pgp-signature, inline)]

Message #27 received at 772793@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: Aníbal Monsalve Salazar <anibal@debian.org>

Cc: Moritz Muehlenhoff <jmm@inutil.org>, Salvatore Bonaccorso <carnil@debian.org>, 772793@bugs.debian.org

Subject: Re: Bug#772793: cpio: CVE-2014-9112

Date: Mon, 15 Dec 2014 11:18:29 +0100

On Fri, 12 Dec 2014, Aníbal Monsalve Salazar wrote:
> >> Patches:
> >> http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=746f3ff6
> >> http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=54d1c42a
> >> http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=58df4f1b
> > 
> > There seem to be additional issues with the fix for i386:
> > https://bugzilla.redhat.com/show_bug.cgi?id=1167571#c9 (not verified
> > by myself, just noticed in Red Hat's Bugzilla).
> > 
> > Regards,
> > Salvatore
> 
> Dear debian-devel,
> 
> I uploaded cpio 2.11+dfsg-3 to experimental with the upstream patches
> listed above. Please test it. It didn't segfault when I run it on amd64
> as reported in Red Hat's Bugzilla.

There are two supplementary relevant fixes that have been committed
upstream:
http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=fd262d11
http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=f6a8a2cb

The latter only fixes the test suite in some architectures but the former
fixes a NULL pointer dereference... whether it has some security
implications can be debated but it looks a good idea to include it too.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Message #32 received at 772793@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: Aníbal Monsalve Salazar <anibal@debian.org>

Cc: Moritz Muehlenhoff <jmm@inutil.org>, Salvatore Bonaccorso <carnil@debian.org>, 772793@bugs.debian.org

Subject: Re: Bug#772793: cpio: CVE-2014-9112

Date: Mon, 15 Dec 2014 15:08:04 +0100

Hi,

On Fri, 12 Dec 2014, Aníbal Monsalve Salazar wrote:
> I uploaded cpio 2.11+dfsg-3 to experimental with the upstream patches
> listed above. Please test it. It didn't segfault when I run it on amd64
> as reported in Red Hat's Bugzilla.

You need to use dh_autoreconf (dh --with autoreconf) if you want to run
the new tests that the upstream patches are providing. Right now the build
log https://buildd.debian.org/status/fetch.php?pkg=cpio&arch=i386&ver=2.11%2Bdfsg-3&stamp=1418386587 
doesn't show the new tests (symlink-bad-length and symlink-long)
being executed.

(You can compare this with the logs of the squeeze-lts update that I
just uploaded)

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Message #37 received at 772793-close@bugs.debian.org (full text, mbox, reply):

From: Raphaël Hertzog <hertzog@debian.org>

To: 772793-close@bugs.debian.org

Subject: Bug#772793: fixed in cpio 2.11-4+deb6u1

Date: Mon, 15 Dec 2014 15:34:42 +0000

Source: cpio
Source-Version: 2.11-4+deb6u1

We believe that the bug you reported is fixed in the latest version of
cpio, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 772793@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Raphaël Hertzog <hertzog@debian.org> (supplier of updated cpio package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 15 Dec 2014 12:07:14 +0100
Source: cpio
Binary: cpio cpio-win32
Architecture: source all amd64
Version: 2.11-4+deb6u1
Distribution: squeeze-lts
Urgency: medium
Maintainer: Clint Adams <schizo@debian.org>
Changed-By: Raphaël Hertzog <hertzog@debian.org>
Description: 
 cpio       - GNU cpio -- a program to manage archives of files
 cpio-win32 - GNU cpio -- a program to manage archives of files (win32 build)
Closes: 772793
Changes: 
 cpio (2.11-4+deb6u1) squeeze-lts; urgency=medium
 .
   * Non-maintainer security upload by the Debian LTS team.
   * Include upstream patches for CVE-2014-9112. Fixes a buffer
     overrun and multiple NULL pointer dereference.
     Closes: #772793
Checksums-Sha1: 
 151adf82e098d0c0cd0228602ab0e6a9e18a9dc7 1437 cpio_2.11-4+deb6u1.dsc
 97913cf119fb960cc5d94bdfa66a6e3e64dc63a1 39115 cpio_2.11-4+deb6u1.debian.tar.gz
 88aadf0521a142e034e1577f8fb32da77bf1711a 78684 cpio-win32_2.11-4+deb6u1_all.deb
 8ee6ab63db095120d5fdbe494c6c16c4c386405f 271482 cpio_2.11-4+deb6u1_amd64.deb
Checksums-Sha256: 
 617522a42f9d7a05b27924e5ba01794dbd7e0ed5ddf14709cb659d43b0320158 1437 cpio_2.11-4+deb6u1.dsc
 c4650c056acb11c0422964cb385daef57ca782cf17d9b8d2feec7debbdb36fc7 39115 cpio_2.11-4+deb6u1.debian.tar.gz
 7362a4608c856a8dfb7f429e5f06063c706c53897311f124308c802fe2596624 78684 cpio-win32_2.11-4+deb6u1_all.deb
 c6dc3c14a3e9d8242e96010ed4a67643c79c6ddd7b355e6787ce7a5cc65c424f 271482 cpio_2.11-4+deb6u1_amd64.deb
Files: 
 8d32cb767a22687d04aadac13cf0d7eb 1437 utils important cpio_2.11-4+deb6u1.dsc
 49c777e5f91cd775fbbc173c0f613524 39115 utils important cpio_2.11-4+deb6u1.debian.tar.gz
 77998b1b87314b7750c933c81cc35766 78684 utils extra cpio-win32_2.11-4+deb6u1_all.deb
 486cc6530cdb57276d4df156c24a8e39 271482 utils important cpio_2.11-4+deb6u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Signed by Raphael Hertzog

iQEcBAEBAgAGBQJUjuqGAAoJEAOIHavrwpq5E1IH/jTXiW3kX/Vr/9ScyU929zng
11k0C2Lj+6SQvO68PtWNOVDDZVK/VXKBh+kmeVxt6OzxQIpJ7jq1eskNWW5FFDL/
69tSTLm/I6giyWOCRyTqNLCnDUiOg/hhyxnhhPlHT1Aynn3My2UPZRZhYVDtpfcQ
5Of7V5wHg/Ai37ci3A7OLm4CRB5q8SdhQnu+CwSzIwY8fJYqZmvVk0HoT6OmTNmj
3x9DA5Rtqqh6O6tJ+tUmrWc7pdoBAyNl9+S7LMUPW5mgiuMOvp462gTKIOgSCQSV
Vkqanq/yKJF7ocxQ+UsKSdllMnHiJZrUHwXwAyAvNe68HJaDfLwgOvRTrxz0siI=
=Fs91
-----END PGP SIGNATURE-----

Message #42 received at 772793@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>

To: 772793@bugs.debian.org

Subject: Re: Bug#772793: cpio: CVE-2014-9112

Date: Sat, 20 Dec 2014 23:34:48 -0500

On Fri, Dec 12, 2014 at 7:16 AM, Aníbal Monsalve Salazar wrote:
> I uploaded cpio 2.11+dfsg-3 to experimental with the upstream patches
> listed above. Please test it. It didn't segfault when I run it on amd64
> as reported in Red Hat's Bugzilla.

Hi,

I tested the update, and it seems to work fine.  Are you planning to
upload to unstable soon?

In the meantime, I'm going to prepare the wheezy DSA.

Best wishes,
Mike

Message #47 received at 772793@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>

To: 772793@bugs.debian.org

Subject: Re: Bug#772793: cpio: CVE-2014-9112

Date: Sun, 21 Dec 2014 00:15:36 -0500

control: reopen -1

On Sat, Dec 20, 2014 at 11:34 PM, Michael Gilbert wrote:
> In the meantime, I'm going to prepare the wheezy DSA.

While preparing it, I noticed that there are a couple commits missing
from the experimental package, commits fd262d11 and f6a8a2cb:
https://security-tracker.debian.org/tracker/CVE-2014-9112

Those are included in the LTS update, and I think they really need to
be included in exp/unstable also.

Best wishes,
Mike

Message #56 received at 772793@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>

To: 772793@bugs.debian.org

Subject: Re: Bug#772793: cpio: CVE-2014-9112

Date: Sun, 21 Dec 2014 00:20:03 -0500

On Sat, Dec 20, 2014 at 11:34 PM, Michael Gilbert wrote:
> On Fri, Dec 12, 2014 at 7:16 AM, Aníbal Monsalve Salazar wrote:
>> I uploaded cpio 2.11+dfsg-3 to experimental with the upstream patches
>> listed above. Please test it. It didn't segfault when I run it on amd64
>> as reported in Red Hat's Bugzilla.
>
> Hi,
>
> I tested the update, and it seems to work fine.  Are you planning to
> upload to unstable soon?
>
> In the meantime, I'm going to prepare the wheezy DSA.

While preparing the DSA, I noticed that there are a couple commits
possibly missing from the experimental package, commits fd262d11 and
f6a8a2cb:
https://security-tracker.debian.org/tracker/CVE-2014-9112

I think those should be included.

Best wishes,
Mike

Message #63 received at 772793-close@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>

To: 772793-close@bugs.debian.org

Subject: Bug#772793: fixed in cpio 2.11+dfsg-2.1

Date: Sun, 21 Dec 2014 22:33:57 +0000

Source: cpio
Source-Version: 2.11+dfsg-2.1

We believe that the bug you reported is fixed in the latest version of
cpio, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 772793@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Gilbert <mgilbert@debian.org> (supplier of updated cpio package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 21 Dec 2014 21:09:44 +0000
Source: cpio
Binary: cpio cpio-win32
Architecture: source all
Version: 2.11+dfsg-2.1
Distribution: unstable
Urgency: high
Maintainer: Anibal Monsalve Salazar <anibal@debian.org>
Changed-By: Michael Gilbert <mgilbert@debian.org>
Description:
 cpio       - GNU cpio -- a program to manage archives of files
 cpio-win32 - GNU cpio -- a program to manage archives of files (win32 build)
Closes: 772793
Changes:
 cpio (2.11+dfsg-2.1) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix CVE-2014-9112: out of bounds write, insufficient range checking, and
     null pointer dereference issues (closes: #772793).
Checksums-Sha1:
 d8a4cb33ece14456a869a04c8fb476998c3cb720 2548 cpio_2.11+dfsg-2.1.dsc
 c15e64285b11472586924bd2e47b14cb800e37d4 18410 cpio_2.11+dfsg-2.1.debian.tar.bz2
 382c38aaac01cb668689f314899f51e389921757 59226 cpio-win32_2.11+dfsg-2.1_all.deb
Checksums-Sha256:
 69d0873a184cd2a3e4515625a3abd429764bcae9b372593ccc74453a249e3567 2548 cpio_2.11+dfsg-2.1.dsc
 67b52d3f2cab21136fca80ebe0c585b55701f4b3b5aecec12e899956129fb994 18410 cpio_2.11+dfsg-2.1.debian.tar.bz2
 201f50abca95bc4570c67cd9e01bd406ff09c507f1a7ef4375fc34fcac340869 59226 cpio-win32_2.11+dfsg-2.1_all.deb
Files:
 d775e80de3c03fa3efb534f40516c8be 2548 utils important cpio_2.11+dfsg-2.1.dsc
 52768bbc0d3c153fa884e3ab3292afcd 18410 utils important cpio_2.11+dfsg-2.1.debian.tar.bz2
 a34f51096def480cfe852f8186bbcba3 59226 utils extra cpio-win32_2.11+dfsg-2.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQQcBAEBCgAGBQJUl0grAAoJELjWss0C1vRz6msgAJHoBqot5jUVtvUDEwbqD/aC
YMjhBrxfbPrt/r66+jIDSvdcTHDaPUm6nJmlBiFj97PcVO0pE6pnUw3g06tQkdiQ
aR1tSZFPvBiypZvjycVdRul8MFjgIwQX5cHPPBiAzeMwD9qhBeAens+Zw6763zpv
7DfUfR/7DX9+er3jfSRSXtImZPsZnkSK1Fg1JzgCpaiMY+mzh6p02WC00rwHNxac
Tkho6ynbnLB+PmRYMlUJWvF4OD42+vckev7YE7OpLN4NtSJ+KNIytiC8elpnKvs8
1cjfE2icfkW5tPtVZCUmMNYflgzAaBYwgjfmlvEDasACYpHTjJguukf6SERfCNM3
Y3N2eEwOdebc5OP8PS700LqiSLJDP2JTLW/v2/ZgrRCOF09VI53mtG1GPhB0GHVu
ch4cDYxV0hIMoqvz6dJKAfTtGQ3VV0nbl4zS7yLW/5TVbjDUwqzO4Kd4rGn7paA6
qtHIzyRd0OmAcSzAV9VZKwhQ529r9b4xEo3xjkGpHLoYhk90SEYjbN6CuDtiKfUG
CB+DOINW5SC2WLn1Y5ZF25NYZgzHS8b9LeRd9fN/1hUsZ0xm1vMqfGWORzktha9K
X5/Cuwc8ZgzeOW4axSMmU7D2KoQATnvF00Be7uBbgleuoj+AQ8Yt8e7zcDaC0IQE
ttd47ObdP164hGFjHl4mnxc7jmJAYn768v70OF4GyLP8+WWoi88GSgPK8JjdE7C4
PQ1+l93zQj5Rp8e27uSR/aCnQamtxF+WaJlmMmT8rccI8TKXrSv4OJkaUPnFRDJu
rLqga52imSlc2QrIRt5pHRTzsknF+aXS2ka7PetYj2w6uAnVV5gGdVfjeTzl5iem
EEe1jNbaHS/rujM7KL+GPXkZLvvbtM2ndUSik/wosjirwUPZu0SYduUOaYNSNZjP
dR5/sheGEqkHgN0KQXmbLImpUTR8buLKPieilgJ61e9XJ5X7oAgOPbUNULjfrYTX
OrTjTOWE1ABml+vAJP4gbp9rHB5m18YP+PYdmqfTy0FhJHbwK94So8I1lVYf6sIg
6UtkrIIR1iBU/9b11mRbZbqmPzvj/C1kakBVPphTAsAwVpcRBHSMBlt5s9Dgb9QL
r0lorvBeZDb2R37LH3Td3HSmdK5PMhTf4g8JI2duJzNY54zEwk6ucYArLpNvlYMm
Fi5C53pVWkcU20Ok2UYGH2lI0EegvKOz09P9hMMqN/zQ54EvWLtZThO03Pjq+2Io
IHqA4v5wwHKv218OUIxN7iUwZaVEbaIQaoy29I/lfEyu7ylN3dl1inVudAUxjinK
+O3JCBHJ160EnLgHnNwjOdhhy6bacUZS2VhmQ3mvy0IayZHOYhTwnIz2ZrSBUEQ=
=eXa7
-----END PGP SIGNATURE-----

Message #68 received at 772793@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>

To: 772793@bugs.debian.org

Subject: Re: Bug#772793: cpio: CVE-2014-9112

Date: Sun, 21 Dec 2014 17:54:20 -0500

[Message part 1 (text/plain, inline)]

On Sun, Dec 21, 2014 at 12:15 AM, Michael Gilbert wrote:
> Those are included in the LTS update, and I think they really need to
> be included in exp/unstable also.

Hi,

I uploaded an nmu with the mentioned changes to unstable.  Please see
attached patch.

Best wishes,
Mike

[cpio.patch (text/x-patch, attachment)]

Message #73 received at 772793-close@bugs.debian.org (full text, mbox, reply):

From: Anibal Monsalve Salazar <anibal@debian.org>

To: 772793-close@bugs.debian.org

Subject: Bug#772793: fixed in cpio 2.11+dfsg-4

Date: Mon, 22 Dec 2014 12:04:08 +0000

Source: cpio
Source-Version: 2.11+dfsg-4

We believe that the bug you reported is fixed in the latest version of
cpio, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 772793@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Anibal Monsalve Salazar <anibal@debian.org> (supplier of updated cpio package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 22 Dec 2014 11:42:11 +0000
Source: cpio
Binary: cpio cpio-win32
Architecture: source all amd64
Version: 2.11+dfsg-4
Distribution: unstable
Urgency: high
Maintainer: Anibal Monsalve Salazar <anibal@debian.org>
Changed-By: Anibal Monsalve Salazar <anibal@debian.org>
Description:
 cpio       - GNU cpio -- a program to manage archives of files
 cpio-win32 - GNU cpio -- a program to manage archives of files (win32 build)
Closes: 772793
Changes:
 cpio (2.11+dfsg-4) unstable; urgency=high
 .
   [ Michael Gilbert <mgilbert@debian.org> ]
   * Fix CVE-2014-9112: null pointer dereference issues.
     Add the following upstream patches:
     fd262d11.patch
     f6a8a2cb.patch
     Closes: #772793.
Checksums-Sha1:
 842c7974e4c2dfc22131fb34ef33fd7c76aab1c1 1843 cpio_2.11+dfsg-4.dsc
 4c87848435285e1fc2145a9c3436f3fbd1520d2d 17756 cpio_2.11+dfsg-4.debian.tar.xz
 0108fefc04a565afc6b73780abc452befe88d248 59308 cpio-win32_2.11+dfsg-4_all.deb
 9247eca2c2f4ab973e80f9b24529ac1046e076f9 176982 cpio_2.11+dfsg-4_amd64.deb
Checksums-Sha256:
 452d32f8d4eb9c5bd3a6bd5e49adfc7fbe1f502d1883c51ebb5a6d26c84b4c73 1843 cpio_2.11+dfsg-4.dsc
 108718317981eb792866f5ca7d2cee4dd2c5f2b54ce45628719148c321b8fed7 17756 cpio_2.11+dfsg-4.debian.tar.xz
 005e3f0a1096058e8f73c99c7abe2a54874bdeb5f05cd2b3db914be4dce34e1f 59308 cpio-win32_2.11+dfsg-4_all.deb
 31e181b71a4d8b945258180a41c8bb523adeb79cb7f86e3861102df56c4bd0cc 176982 cpio_2.11+dfsg-4_amd64.deb
Files:
 5e37306cc5c7a3038a51405827286ee7 1843 utils important cpio_2.11+dfsg-4.dsc
 b138e08817577210c860defbbe4ab2b5 17756 utils important cpio_2.11+dfsg-4.debian.tar.xz
 9730d792bedd956e06ba7e262359d1d9 59308 utils extra cpio-win32_2.11+dfsg-4_all.deb
 581a5e1155fe3e3eade27058c1bf7f50 176982 utils important cpio_2.11+dfsg-4_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJUmAbSAAoJEHxWrP6UeJfYSM4P/RdFRjPNEi/qdmvFok2lE0M0
6SfCxqUfHc6wqcCW7syjBHz7gcDQmWRKh4Jf94B761reFqk6VrQFbfQjNGmJ+UBD
FSs5ut1mlITeLIxllvrer4a+LrKaFn/zYNuMPk6cFRqXCALa6+A5XOY2O6nDOgKB
7Gg15i9KFgdq0JrE3bHBXKOJz4+qn98K2zpBG9Cyqjg38QR4cfTlFJYc7tE33cIe
MMInr9XW+sS750wOLVwOEUezj6LW6jelk/2m9EpDQeKCvWbq6fIMCCoAVX0VV7za
JyZPDENBlZjfmmuiu3Hw17l9iZKDBee5j+KOMT3rOE8mVMUOMGI41RgJWMTUNFIi
VbyJIjcPfj9ULgox3O7Ah4GzqWpfq04SV3NDCDaT7EaP6E8idkMcFoZdT6YUJ+y6
+a20xUj5axWVKoWlkxz2KdDoexAM2rzvOhOfXh4zBs1pysPjbBup8G2fJxdoG9u0
wg+X4rbQh4oijryQXOm9mDwHXt7u7Ez500Iw8cbYDLjutq7LCBnWjWKMYF5I818n
OYIU10d6z0LMDvQrYfROcKB/3WBz50eHU1wFO+GE34dtIxut54XN7FNLNcpWnQEt
wTgBr9rsc5NzeznoxnxtV6KpdscxV6+gECydPS8IHQI79VMX7KL3I9NHI3JjOGdO
Shz6kd0uZgYPajzV3Cyj
=TOCN
-----END PGP SIGNATURE-----

Message #78 received at 772793-close@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>

To: 772793-close@bugs.debian.org

Subject: Bug#772793: fixed in cpio 2.11+dfsg-0.1+deb7u1

Date: Wed, 24 Dec 2014 18:32:06 +0000

Source: cpio
Source-Version: 2.11+dfsg-0.1+deb7u1

We believe that the bug you reported is fixed in the latest version of
cpio, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 772793@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Gilbert <mgilbert@debian.org> (supplier of updated cpio package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 22 Dec 2014 22:13:01 +0000
Source: cpio
Binary: cpio cpio-win32
Architecture: source all i386
Version: 2.11+dfsg-0.1+deb7u1
Distribution: stable-security
Urgency: high
Maintainer: Ruben Molina <rmolina@udea.edu.co>
Changed-By: Michael Gilbert <mgilbert@debian.org>
Description: 
 cpio       - GNU cpio -- a program to manage archives of files
 cpio-win32 - GNU cpio -- a program to manage archives of files (win32 build)
Closes: 772793
Changes: 
 cpio (2.11+dfsg-0.1+deb7u1) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix CVE-2014-9112: out of bounds write, insufficient range checking, and
     null pointer dereference issues (closes: #772793).
Checksums-Sha1: 
 fe0fddb16f429b9ac9a7bd5f5a13aacbba8bf49c 2662 cpio_2.11+dfsg-0.1+deb7u1.dsc
 db17d80369acf691611a38979f42f31e47ee6fac 802940 cpio_2.11+dfsg.orig.tar.xz
 7dcc907431eeb277cca0bdf647e1734ced440dc3 16920 cpio_2.11+dfsg-0.1+deb7u1.debian.tar.bz2
 a5b08db8cddf1eb8b305420f61d113b94ca9de33 74086 cpio-win32_2.11+dfsg-0.1+deb7u1_all.deb
 5c25d79b37aa9092fb22ed01b83762435c8769dd 267080 cpio_2.11+dfsg-0.1+deb7u1_i386.deb
Checksums-Sha256: 
 e67f415ff3608fe2f82f4c8d4cc7a9c00ee3fa6eb3aa0bbf4967334f6bd432fd 2662 cpio_2.11+dfsg-0.1+deb7u1.dsc
 f3208df43692895e1ff84cb7625c6cc27b431c9a321fe414faed402b70660cd0 802940 cpio_2.11+dfsg.orig.tar.xz
 af7d3c420273e5267542662bb6e8ec965db40dfd3e5d9f5cff31cc445015ae6b 16920 cpio_2.11+dfsg-0.1+deb7u1.debian.tar.bz2
 6f9129e91e0ea4dfd528fbb1722389a291a0f2b8b264c3afcf257c589254b869 74086 cpio-win32_2.11+dfsg-0.1+deb7u1_all.deb
 f99e163bbe7d973542557f366efbcdc29a7c2fff0024feb6f545939e412e5180 267080 cpio_2.11+dfsg-0.1+deb7u1_i386.deb
Files: 
 3da368e4fd21da864005e43382948a2f 2662 utils important cpio_2.11+dfsg-0.1+deb7u1.dsc
 54d2f3b3561c3a1ca2c192e94f00bc38 802940 utils important cpio_2.11+dfsg.orig.tar.xz
 ab9ccc32777bb208463e32afa596530f 16920 utils important cpio_2.11+dfsg-0.1+deb7u1.debian.tar.bz2
 784d48d0f343f0575b63a4e117c35ea3 74086 utils extra cpio-win32_2.11+dfsg-0.1+deb7u1_all.deb
 c8f5824f405f3eec2e741c64df21f071 267080 utils important cpio_2.11+dfsg-0.1+deb7u1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQQcBAEBCgAGBQJUmJlPAAoJELjWss0C1vRzai4f+wUL43ZJ/bOUXwKKJRKvt8k5
sDkGP/J6S3ahuN6Gg8LwYJvgS53mZtwgO1BmzRsbaZpZLU5X9eJpCYzOJQ3apnqy
zsZDLyvYnp70W3SbMaDk/TuMh0Ohu90F6cm6ghqNXmJe0gpTCHII3GFJvZNECKWT
8uecBHtFXOW7zm8PcC3LDeLrjcqJtYYgACZUYRKvlFnMzingRiEP+uZ+VRlRiUZ/
QjyyTUaub+P7Zxh4WzQsN02Fl3wry4ui9cjGEECwIeGyq/cjfDinhAfp+a3/+M+L
dhqavw+5c3qrheoBKs48AylE+Abn2rvJjmUBneU6L1v0Kb9Q/9B3l0iFYmgQqxvX
E61SzGnQ/YCDU1iYyAzhMUJtkHkbAeUwdaCPZJeglbe41KuC5Q5p0sT/zg3smOih
SzUe5YhX6nf09yIxTlAPDpXWwkqzu90Vk8r7s4KN5YRIcPOBZLuC4b8D9PWaNzkV
etAtK2ZSXUO+v9gpxu5DJIZ7crUymL2285A5eRPgvoerW3A9x5hzA9NXTojptYa9
JhSjWnNhkrZBja4lGtID0z6aGNMpKX8EvQ1FdrVfwA5pSbLAE8EeLpszUZkR0Dwk
QMwBwc2JGaWj+yVb86C1YCcvdhCbVuTsr2dbAPKZQIeas3B6iVQop9ZTsMTs+l5r
5TGBe4C/19QdvZsbuTNeEOCHiWpqfXjeRtwS9Vvl6Ykqj6H9i6ddEabecFIYMb+9
sz6BU/nh4hPhwauVpw3uThqzqt1S3o3JPPrOZZp+17Dyq5i4z0T2IdvzigJwsvAL
102r7IpX9G+i8EY53e2NFqX15/8BI2B/wQBI8q7USNADIkv7N3z4b9L8DU580/gc
PUpA76d+pshCjReKdem9n3kpBysOMi1t4yFHakrWWX1bME5lLbXHn5DIaUdHO2+v
f74uFZeNkWkO+7O/ad48cbAoFrKlVVHosFaDP72ldrtkwLGv/UJ1sbB+1C8TKgj9
MfNjuq2VLkUS9jZppF5bN9tbbuCyfx7bBlIMz9FkwKYf9BbzXHQYwohtjNVxbAW2
03vlbaIj3oR0u94IPSfYmZsXqazlOkazcvySSuJNvBu6cHmRLU0FLYUV5eHC1zyC
+9zBdYL1vDA6dO/tTVJmk+43m3jZBz/N5WCbBym+/TScS9VelPZkjm17jvan1vih
A5RJAZTEFfDq5aLGVbqdvcQaqmPmqMwpscU5UPZ7NsclU//t3JtuFkyZt9Pt6Jeq
Y22AOcpXshY3SKhKpP19H0GSNdlALNWRPkiXddFPEOHFnt0Qg4GGh6ACCik6er0F
nUa0Zoupmvy4MVP1h6GmDG+erU+aam8sOTIEDbL9wO/uFUCbgcgUjg0q9ndwaXU=
=vPDE
-----END PGP SIGNATURE-----

Message #83 received at 772793@bugs.debian.org (full text, mbox, reply):

From: Привет, вы получено €800,000. Заполните форму ниже. ФИО:..,Пол:..,Страна:..,Работа:..,Возраст:.. <lottocordinator.awards8@gmail.com>

To: undisclosed-recipients:;

Subject: a

Date: Wed, 31 Dec 2014 13:03:41 +0100

Message #88 received at 772793@bugs.debian.org (full text, mbox, reply):

From: Привет, Вы получили €800,000. Заполните форму ниже. ФИО:..,Пол:..,Страна:..,Работа:..,Возраст:.. <lottocordinator.awards1@gmail.com>

To: undisclosed-recipients:;

Subject: a

Date: Wed, 31 Dec 2014 13:06:35 +0100

Send a report that this bug log contains spam.