Bug#992098: cpio: Regression form CVE-2021-38185 fix: cpio hangs when target path passed with 128 characters

Wed, 11 Aug 2021 07:27:17 -0700 

Source: cpio
Version: 2.13+dfsg-5
Severity: serious
Tags: upstream
Justification: regression, has influences to other programs, partially FTBFS of 
packages, and other impact
X-Debbugs-Cc: car...@debian.org

Hi

It looks that the fix for CVE-2021-38185 applied in 2.13+dfsg-5 causes
a regression. I noticed it initally doing a kernel build, where we
have the invocation 

----cut---------cut---------cut---------cut---------cut---------cut-----
dh_prep
set -o pipefail; \
cd debian/build/source_none; \
( \
        echo Makefile; \
        for arch in alpha arm arm64 ia64 m68k mips parisc powerpc riscv s390 sh 
sparc x86; do \
                find arch/$arch -maxdepth 1 -name 'Makefile*' -print; \
                find arch/$arch \( -name 'Kbuild.platforms' -o -name 'Platform' 
\) -print; \
                find $(find arch/$arch \( -name include -o -name scripts \) 
-type d -print) -print; \
        done; \
        find include -print; \
) \
| \
cpio -pd --preserve-modification-time 
'/home/build/linux-5.13.9/debian/linux-headers-5.13.0-trunk-common//usr/src/linux-headers-5.13.0-trunk-common'
cpio: h: Cannot stat: No such file or directory
cpio: int.h: Cannot stat: No such file or directory
cpio: .h: Cannot stat: No such file or directory
cpio: ander.h: Cannot stat: No such file or directory
cpio: .h: Cannot stat: No such file or directory
cpio: -clock.h: Cannot stat: No such file or directory
94174 blocks
----cut---------cut---------cut---------cut---------cut---------cut-----

but this was not a problem with 2.13+dfsg-4.

Trying to track this down it looks that with 2.13+dfsg-4 works, while
hangs with the new version:

root@sid:~# cd $(mktemp -d) ; touch foo ; echo foo | cpio -pd $(python3 -c 
'print("A" * 128)')
0 blocks

Now updating cpio:

root@sid:/tmp/tmp.1Q1sQ1UmJ3# apt-get install cpio
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Suggested packages:
  libarchive1
The following packages will be upgraded:
  cpio
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/244 kB of archives.
After this operation, 8192 B of additional disk space will be used.
(Reading database ... 78465 files and directories currently installed.)
Preparing to unpack .../cpio_2.13+dfsg-5_amd64.deb ...
Unpacking cpio (2.13+dfsg-5) over (2.13+dfsg-4) ...
Setting up cpio (2.13+dfsg-5) ...
Processing triggers for man-db (2.9.4-2) ...

and doing the same again:

root@sid:/tmp/tmp.1Q1sQ1UmJ3# cd $(mktemp -d) ; touch foo ; echo foo | cpio -pd 
$(python3 -c 'print("A" * 128)')
^C
root@sid:/tmp/tmp.1FBtWOr0jO#

Regards,
Salvatore

Reply via email to