cpio-2.13-3.3 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10697 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z cpio-2.13-3.3 on GA media These are all security issues fixed in the cpio-2.13-3.3 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10697 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:10697 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2015-1197/ SUSE CVE CVE-2015-1197 page https://www.suse.com/security/cve/CVE-2019-14866/ SUSE CVE CVE-2019-14866 page https://www.suse.com/security/cve/CVE-2021-38185/ SUSE CVE CVE-2021-38185 page openSUSE Tumbleweed cpio-2.13-3.3 cpio-lang-2.13-3.3 cpio-mt-2.13-3.3 cpio-2.13-3.3 as a component of openSUSE Tumbleweed cpio-lang-2.13-3.3 as a component of openSUSE Tumbleweed cpio-mt-2.13-3.3 as a component of openSUSE Tumbleweed cpio 2.11, when using the --no-absolute-filenames option, allows local users to write to arbitrary files via a symlink attack on a file in an archive. CVE-2015-1197 openSUSE Tumbleweed:cpio-2.13-3.3 openSUSE Tumbleweed:cpio-lang-2.13-3.3 openSUSE Tumbleweed:cpio-mt-2.13-3.3 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-1197.html CVE-2015-1197 https://bugzilla.suse.com/1077990 SUSE Bug 1077990 https://bugzilla.suse.com/913677 SUSE Bug 913677 In all versions of cpio before 2.13 does not properly validate input files when generating TAR archives. When cpio is used to create TAR archives from paths an attacker can write to, the resulting archive may contain files with permissions the attacker did not have or in paths he did not have access to. Extracting those archives from a high-privilege user without carefully reviewing them may lead to the compromise of the system. CVE-2019-14866 openSUSE Tumbleweed:cpio-2.13-3.3 openSUSE Tumbleweed:cpio-lang-2.13-3.3 openSUSE Tumbleweed:cpio-mt-2.13-3.3 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-14866.html CVE-2019-14866 https://bugzilla.suse.com/1155199 SUSE Bug 1155199 GNU cpio through 2.13 allows attackers to execute arbitrary code via a crafted pattern file, because of a dstring.c ds_fgetstr integer overflow that triggers an out-of-bounds heap write. NOTE: it is unclear whether there are common cases where the pattern file, associated with the -E option, is untrusted data. CVE-2021-38185 openSUSE Tumbleweed:cpio-2.13-3.3 openSUSE Tumbleweed:cpio-lang-2.13-3.3 openSUSE Tumbleweed:cpio-mt-2.13-3.3 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-38185.html CVE-2021-38185 https://bugzilla.suse.com/1189206 SUSE Bug 1189206 https://bugzilla.suse.com/1189486 SUSE Bug 1189486 https://bugzilla.suse.com/1192364 SUSE Bug 1192364 https://bugzilla.suse.com/1193391 SUSE Bug 1193391 https://bugzilla.suse.com/1200733 SUSE Bug 1200733