[Debian] High CVE: CVE-2021-38185 cpio: integer overflow that triggers an out-of-bounds heap write

Bug #2038793 reported by Yue Tao
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Triaged
High
Unassigned

Bug Description

CVE-2021-38185: https://nvd.nist.gov/vuln/detail/CVE-2021-38185

GNU cpio through 2.13 allows attackers to execute arbitrary code via a crafted pattern file, because of a dstring.c ds_fgetstr integer overflow that triggers an out-of-bounds heap write. NOTE: it is unclear whether there are common cases where the pattern file, associated with the -E option, is untrusted data.

Base Score: High

Reference:

['cpio_2.13+dfsg-4_amd64.deb===>cpio_2.13+dfsg-7.1~deb11u1_amd64.deb']

CVE References

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.