Bug 10286

Summary: cpio security vulnerabilities CVE-2015-1197 , CVE-2019-14866
Product: [ROSA-based products] ROSA Fresh Reporter: Zombie Ryushu <zombie.ryushu>
Component: Packages from MainAssignee: ROSA Linux Bugs <bugs>
Status: CONFIRMED --- QA Contact: ROSA Linux Bugs <bugs>
Severity: normal    
Priority: Normal CC: alzim, andrey.bondrov, denis.silakov, mc2374
Version: All   
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://advisories.mageia.org/MGASA-2019-0326.html
Whiteboard:
Platform: --- ROSA Vulnerability identifier: CVE-2015-1197 , CVE-2019-14866
RPM Package: cpio ISO-related:
Bad POT generating: Upstream:

Description Zombie Ryushu 2019-11-16 01:15:41 MSK 
in cpio 2.11, when using the --no-absolute-filenames option, allows local
users to write to arbitrary files via a symlink attack on a file in an
archive (CVE-2015-1197).

Thomas Habets discovered that GNU cpio incorrectly handled certain
inputs. An attacker could possibly use this issue to privilege escalation
(CVE-2019-14866).

cpio has been updated to 2.13 that fixes theese issues.
Comment 1 Zombie Ryushu 2020-03-28 22:19:44 MSK 
The cpio update to 2.13 in MGASA-2019-0326 contained an upstream fix for
CVE-2015-1197 symlink attack. Unfortunately that fix caused a regression
on atleast some systems using lvm or mdadm, causing them to crash on 
shutdown or reboot.

This update solves this by reverting the upstream fix, and restoring
the older well tested variant of the fix that is known to not cause
crashes.