Integer Overflow or Wraparound Affecting cpio package, versions <0:2.12-11.el8


medium

Snyk CVSS

    Attack Complexity High
    User Interaction Required
    Confidentiality High
    Integrity High
    Availability High
Expand this section
NVD
7.8 high
Expand this section
SUSE
8.8 high
Expand this section
Red Hat
7 high

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-CENTOS8-CPIO-1970858
  • published 17 Aug 2021
  • disclosed 6 Aug 2021

How to fix?

Upgrade Centos:8 cpio to version 0:2.12-11.el8 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream cpio package and not the cpio package as distributed by Centos:8. See How to fix? for Centos:8 relevant fixed versions and status.

GNU cpio through 2.13 allows attackers to execute arbitrary code via a crafted pattern file, because of a dstring.c ds_fgetstr integer overflow that triggers an out-of-bounds heap write. NOTE: it is unclear whether there are common cases where the pattern file, associated with the -E option, is untrusted data.