CVE-2019-14866

Priority
Description
In all versions of cpio before 2.13 does not properly validate input files
when generating TAR archives. When cpio is used to create TAR archives from
paths an attacker can write to, the resulting archive may contain files
with permissions the attacker did not have or in paths he did not have
access to. Extracting those archives from a high-privilege user without
carefully reviewing them may lead to the compromise of the system.
Assigned-to
leosilva
Notes
Package
Source: cpio (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):released (2.11-7ubuntu3.3)
Ubuntu 14.04 ESM (Trusty Tahr):released (2.11+dfsg-1ubuntu1.2+esm1)
Ubuntu 16.04 LTS (Xenial Xerus):released (2.11+dfsg-5ubuntu1.1)
Ubuntu 18.04 LTS (Bionic Beaver):released (2.12+dfsg-6ubuntu0.18.04.1)
Ubuntu 20.04 LTS (Focal Fossa):released (2.12+dfsg-9ubuntu1)
Patches:
Other:https://cement.retrofitta.se/tmp/cpio-tar.patch
Upstream:http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=7554e3e42cd72f6f8304410c47fe6f8918e9bfd7
More Information

Updated: 2020-07-28 20:06:45 UTC (commit d26b6ca9f5b3adb89bb036ce73ae7dab894935ec)