CVE-2021-31872 in Ubuntu

CVE-2021-31872

Priority

Description

An issue was discovered in klibc before 2.0.9. Multiple possible integer
overflows in the cpio command on 32-bit systems may result in a buffer
overflow or other security impact.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31872
https://kernel.org/pub/linux/libs/klibc/2.0/
https://lists.zytor.com/archives/klibc/2021-April/004593.html
https://ubuntu.com/security/notices/USN-5379-1

Assigned-to

litios

Notes

mdeslaur	only used in initramfs, doesn't parse untrusted data
sbeattie	also, the integer overflow is only on 32bit systems, 64bit platforms should not be affected.

Package

Source: klibc (LP Ubuntu Debian)

Upstream:	released (2.0.8-6)
Ubuntu 18.04 LTS:	released (2.0.4-9ubuntu2.1)
Ubuntu 20.04 LTS:	released (2.0.7-1ubuntu5.1)
Ubuntu 21.10:	not-affected (2.0.8-6.1ubuntu2)
Ubuntu 16.04 ESM:	released (2.0.4-8ubuntu1.16.04.4+esm1)
Ubuntu 22.04 LTS:	not-affected (2.0.8-6.1ubuntu2)
Ubuntu 14.04 ESM:	released (2.0.3-0ubuntu1.14.04.3+esm2)

Patches:

Upstream:

https://git.kernel.org/pub/scm/libs/klibc/klibc.git/commit/?id=9b1c91577aef7f2e72c3aa11a27749160bd278ff

More Information

Updated: 2022-04-25 00:55:20 UTC (commit ecc1009cb19540b950de59270950018900f37f15)