Date: Fri, 15 Nov 2019 22:46:16 +0000 (UTC) From: Christian Weisgerber <naddy@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r517704 - head/security/vuxml Message-ID: <201911152246.xAFMkGGZ036489@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: naddy Date: Fri Nov 15 22:46:16 2019 New Revision: 517704 URL: https://svnweb.freebsd.org/changeset/ports/517704 Log: Document vulnerabilities in GNU cpio < 2.13. Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Fri Nov 15 22:44:58 2019 (r517703) +++ head/security/vuxml/vuln.xml Fri Nov 15 22:46:16 2019 (r517704) @@ -58,6 +58,42 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="f59af308-07f3-11ea-8c56-f8b156b6dcc8"> + <topic>GNU cpio -- multiple vulnerabilities</topic> + <affects> + <package> + <name>gcpio</name> + <range><lt>2.13</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Sergey Poznyakoff reports:</p> + <blockquote cite="https://lists.gnu.org/archive/html/bug-cpio/2019-11/msg00000.html">; + <p>This stable release fixes several potential vulnerabilities</p> + <p>CVE-2015-1197: cpio, when using the --no-absolute-filenames + option, allows local users to write to arbitrary files + via a symlink attack on a file in an archive.</p> + <p>CVE-2016-2037: The cpio_safer_name_suffix function in + util.c allows remote attackers to cause a denial of service + (out-of-bounds write) via a crafted cpio file.</p> + <p>CVE-2019-14866: Improper input validation when writing + tar header fields leads to unexpected tar generation.</p> + </blockquote> + </body> + </description> + <references> + <url>https://lists.gnu.org/archive/html/bug-cpio/2019-11/msg00000.html</url>; + <cvename>CVE-2015-1197</cvename> + <cvename>CVE-2016-2037</cvename> + <cvename>CVE-2019-14866</cvename> + </references> + <dates> + <discovery>2019-11-06</discovery> + <entry>2019-11-15</entry> + </dates> + </vuln> + <vuln vid="b48e7b14-052a-11ea-a1de-53b029d2b061"> <topic>libmad -- multiple vulnerabilities</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201911152246.xAFMkGGZ036489>