Bug#992098: marked as done (cpio: Regression form CVE-2021-38185 fix: cpio hangs when target path passed with 128 characters)

Thu, 12 Aug 2021 20:36:16 -0700 

Your message dated Fri, 13 Aug 2021 03:33:30 +0000
with message-id <e1menwo-0003wn...@fasolo.debian.org>
and subject line Bug#992098: fixed in cpio 2.13+dfsg-6
has caused the Debian Bug report #992098,
regarding cpio: Regression form CVE-2021-38185 fix: cpio hangs when target path 
passed with 128 characters
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
992098: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992098
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Source: cpio
Version: 2.13+dfsg-5
Severity: serious
Tags: upstream
Justification: regression, has influences to other programs, partially FTBFS of 
packages, and other impact
X-Debbugs-Cc: car...@debian.org

Hi

It looks that the fix for CVE-2021-38185 applied in 2.13+dfsg-5 causes
a regression. I noticed it initally doing a kernel build, where we
have the invocation 

----cut---------cut---------cut---------cut---------cut---------cut-----
dh_prep
set -o pipefail; \
cd debian/build/source_none; \
( \
        echo Makefile; \
        for arch in alpha arm arm64 ia64 m68k mips parisc powerpc riscv s390 sh 
sparc x86; do \
                find arch/$arch -maxdepth 1 -name 'Makefile*' -print; \
                find arch/$arch \( -name 'Kbuild.platforms' -o -name 'Platform' 
\) -print; \
                find $(find arch/$arch \( -name include -o -name scripts \) 
-type d -print) -print; \
        done; \
        find include -print; \
) \
| \
cpio -pd --preserve-modification-time 
'/home/build/linux-5.13.9/debian/linux-headers-5.13.0-trunk-common//usr/src/linux-headers-5.13.0-trunk-common'
cpio: h: Cannot stat: No such file or directory
cpio: int.h: Cannot stat: No such file or directory
cpio: .h: Cannot stat: No such file or directory
cpio: ander.h: Cannot stat: No such file or directory
cpio: .h: Cannot stat: No such file or directory
cpio: -clock.h: Cannot stat: No such file or directory
94174 blocks
----cut---------cut---------cut---------cut---------cut---------cut-----

but this was not a problem with 2.13+dfsg-4.

Trying to track this down it looks that with 2.13+dfsg-4 works, while
hangs with the new version:

root@sid:~# cd $(mktemp -d) ; touch foo ; echo foo | cpio -pd $(python3 -c 
'print("A" * 128)')
0 blocks

Now updating cpio:

root@sid:/tmp/tmp.1Q1sQ1UmJ3# apt-get install cpio
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Suggested packages:
  libarchive1
The following packages will be upgraded:
  cpio
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/244 kB of archives.
After this operation, 8192 B of additional disk space will be used.
(Reading database ... 78465 files and directories currently installed.)
Preparing to unpack .../cpio_2.13+dfsg-5_amd64.deb ...
Unpacking cpio (2.13+dfsg-5) over (2.13+dfsg-4) ...
Setting up cpio (2.13+dfsg-5) ...
Processing triggers for man-db (2.9.4-2) ...

and doing the same again:

root@sid:/tmp/tmp.1Q1sQ1UmJ3# cd $(mktemp -d) ; touch foo ; echo foo | cpio -pd 
$(python3 -c 'print("A" * 128)')
^C
root@sid:/tmp/tmp.1FBtWOr0jO#

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Source: cpio
Source-Version: 2.13+dfsg-6
Done: Anibal Monsalve Salazar <ani...@debian.org>

We believe that the bug you reported is fixed in the latest version of
cpio, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 992...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Anibal Monsalve Salazar <ani...@debian.org> (supplier of updated cpio package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 13 Aug 2021 13:06:27 +1000
Source: cpio
Architecture: source
Version: 2.13+dfsg-6
Distribution: unstable
Urgency: high
Maintainer: Anibal Monsalve Salazar <ani...@debian.org>
Changed-By: Anibal Monsalve Salazar <ani...@debian.org>
Closes: 992098
Changes:
 cpio (2.13+dfsg-6) unstable; urgency=high
 .
   * Fix regression of original fix for CVE-2021-38185
     Add patch 992098-regression-of-orig-fix-for-CVE-2021-38185
     Closes: #992098
Checksums-Sha1:
 f7a94584c9b5e4a4c78988f3ba20ea2af5118217 2000 cpio_2.13+dfsg-6.dsc
 9ee01a1b21b5519aa1404b17cf6d541c2fc614be 35932 cpio_2.13+dfsg-6.debian.tar.xz
 4dc7afbf494b9023676863623a99b9561986d0c7 5623 cpio_2.13+dfsg-6_amd64.buildinfo
Checksums-Sha256:
 e2f34bf312a70a4a5bcfe28e32698460566ddbde1c66e3293e44268a1f01c202 2000 
cpio_2.13+dfsg-6.dsc
 f375c98097f52cedc6f7ef6257201540a6f30302548068d786970272b774430a 35932 
cpio_2.13+dfsg-6.debian.tar.xz
 31d3a2f4cc8cab6f6f4df6102f52ed6a7278027c2c3dc490380ce978f5c13f72 5623 
cpio_2.13+dfsg-6_amd64.buildinfo
Files:
 c0c3992cb60e6b12e88ea40990f89509 2000 utils important cpio_2.13+dfsg-6.dsc
 e5d49ce6b89e4a822cd4e62dac9850e1 35932 utils important 
cpio_2.13+dfsg-6.debian.tar.xz
 0f3b6bff97cd40736fe7c0b0f635e0e6 5623 utils important 
cpio_2.13+dfsg-6_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJhFeUfAAoJEHxWrP6UeJfYw7QQALiZPUhmER3QXfcEbre0xsya
BGqYady59xtDxvOCoVFS2zOP/nsnmR7bBwDA6E+xk8bw/+OkkVps/QgROE6I+AM2
TzVIa6BjgpDITs21k6XYPSUQS+8iz8mfX3kY9R4WMg2FQ+pYMoLosn1Y/BBnJ47g
N3TEoLfa9Maye0n4TR2EW0VzxgMWX5/s9CJc1jksLO+jdX0yHHxdPEL2iX7hnGUJ
fUfNBwc5QIG8KySVe/0cMTPZdXtdr125GxFotb3GA7eWhk07iaFb1VT02WOolJGd
pGhNp/RTmtWrlF6NQVHW5qd/bdH9pi/3QzUowKeN0AmzHH2hGVHBkimcDhMq+YKg
XdQpakKDNdP8gvbZ/i4j8hJWYOmqSN5ku+1bFAqRBsWom0sSo0NUBD/aokP2apaq
LNdRv6tM7fYXkKqHh0UucAPfqz0OBgHCspC5If6pYdIz5/HKJyIkx4uOErjBupY8
v+PgptRkaAN2Z/kSRS5nZhd/oB0aUact2ywTskKMWAFOTKFUJG/li5ERCpLEQxNj
m/H+jE3LZN0gmJnIbBRdD1lEg/B7fZvjPoCUXbAdmXvHuNC6ZC1N7abBlvdWzbCE
ZekNmbSAWg7BeYDo4jll/LoD9S0gGOj0kfkR9MMYNc1EYOe/fHdi/gAUpsTGx63h
5J4apRr9yxhGToXImb67
=T3rY
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to