CVE-2019-14866

NameCVE-2019-14866
Descriptionimproper input validation when writing tar header fields leads to unexpect tar generation
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1981-1
Debian Bugs941412

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
cpio (PTS)jessie2.11+dfsg-4.1+deb8u1vulnerable
jessie (security)2.11+dfsg-4.1+deb8u2fixed
stretch2.11+dfsg-6vulnerable
bullseye, sid, buster2.12+dfsg-9vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
cpiosource(unstable)(unfixed)low941412
cpiosourcejessie2.11+dfsg-4.1+deb8u2DLA-1981-1

Notes

[buster] - cpio <no-dsa> (Minor issue)
[stretch] - cpio <no-dsa> (Minor issue)
https://lists.gnu.org/archive/html/bug-cpio/2019-08/msg00003.html
http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=7554e3e42cd72f6f8304410c47fe6f8918e9bfd7

Search for package or bug name: Reporting problems