DescriptionHeap-based buffer overflow in the process_copy_in function in GNU Cpio 2.11 allows remote attackers to cause a denial of service via a large block value in a cpio archive.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-111-1, DSA-3111-1
NVD severitymedium (attack range: remote)
Debian Bugs772793

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
cpio (PTS)wheezy, wheezy (security)2.11+dfsg-0.1+deb7u2fixed
jessie (security), jessie2.11+dfsg-4.1+deb8u1fixed
buster, sid2.12+dfsg-6fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs

Notes (fix buffer overflow) (fix range checking of length of link name) (fixup of former commit) (fix null deref) (fix test suite in former commit)

Search for package or bug name: Reporting problems