Comment 1 Moritz Muehlenhoff 2015-01-19 07:47:49 CET

Directory traversal in cpio (CVE-2015-1197)

Comment 2 Moritz Muehlenhoff 2015-02-02 14:44:04 CET

(In reply to Moritz Muehlenhoff from comment #0)
> +++ This bug was initially created as a clone of Bug #37294 +++
> 
> A buffer overflow in cpio allows the execution of arbitrary code or denial
> of service if a malformed CPIO archive is opened (CVE-2014-9112)

This was fixed during the import of the Wheezy 7.8 point update in Bug 37511

Comment 3 Arvid Requate 2015-05-06 18:07:55 CEST

The main two issues here have been fixed in upstream Debian package version 2.11+dfsg-0.1+deb7u1

CVE-2015-1197 has bee classified as "Minor issue" in Debian

Comment 4 Stefan Gohmann 2015-09-11 12:29:50 CEST

(In reply to Arvid Requate from comment #3)
> The main two issues here have been fixed in upstream Debian package version
> 2.11+dfsg-0.1+deb7u1

This is already part of UCS 4.0-1.

> CVE-2015-1197 has bee classified as "Minor issue" in Debian

OK, resetting target milestone.

Comment 5 Arvid Requate 2016-02-22 12:36:59 CET

Upstream Debian package version 2.11+dfsg-0.1+deb7u2 fixes this additional issue:

* out-of-bounds write with cpio 2.11 (CVE-2016-2037)

Comment 6 Arvid Requate 2018-04-17 15:56:33 CEST

This issue has been filed against UCS 4.1.

UCS 4.1 is out of maintenance and many UCS components have vastly changed in later releases. Thus, this issue is now being closed.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen this issue. In this case please provide detailed information on how this issue is affecting you.