The patch "revert-CVE-2015-1197-handling" (to close bugs #946267 and #946469)
re-enables path traversal vulnerability with maliciously crafted cpio archives.

Hello Ingo,

I have been working on a new Debian version of cpio for the last couple
of days. I hope to upload it today. I will appreciate it very much if
you could give it a try after uploading it.

Thank you for your previous messages related to this security
vulnerability.

I will send those messages to Salvatore.

Kind regards,

Aníbal

We believe that the bug you reported is fixed in the latest version of
cpio, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1059163@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Anibal Monsalve Salazar <anibal@debian.org> (supplier of updated cpio package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Fri, 22 Dec 2023 16:38:54 +1100
Source: cpio
Architecture: source
Version: 2.14+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Anibal Monsalve Salazar <anibal@debian.org>
Changed-By: Anibal Monsalve Salazar <anibal@debian.org>
Closes: 925021 1049402 1059163 1059238
Changes:
 cpio (2.14+dfsg-1) unstable; urgency=medium
 .
   * New upstream release
     Closes: #1049402
     Noteworthy changes in this release:
     - New option --ignore-dirnlink
       Valid in copy-out mode, it instructs cpio to ignore the actual number
       of links reported for each directory member and always store 2
       instead.
     - Changes in --reproducible option
       The --reproducible option implies --ignore-dirlink.  In other words,
       it is equivalent to --ignore-devno --ignore-dirnlink --renumber-inodes.
     - Use GNU ls algorithm for deciding timestamp format in -tv mode
     - Bugfixes
       - Fix cpio header verification.
       - Fix handling of device numbers on copy out.
       - Fix calculation of CRC in copy-out mode.
       - Rewrite the fix for CVE-2015-1197.
       - Fix combination of --create --append --directory.
       - Fix appending to archives bigger than 2G.
   * Update uploaders list
     Closes: #925021
   * Standards-Version: 4.6.2
   * Fix Path traversal vulnerability due to partial revert of fix for CVE-2015-1197
     Closes: #1059163
   * cpio-win32 is no longer needed
     Closes: #1059238
Checksums-Sha1:
 eb78be01c0a20b510407d20c8b6271aafa6359b8 1906 cpio_2.14+dfsg-1.dsc
 c07f9046d70b4d83f873138bb7561e7b218ce6b9 1515680 cpio_2.14+dfsg.orig.tar.bz2
 9336fac43abbb385ffc8637c67120a90e508ec0d 15096 cpio_2.14+dfsg-1.debian.tar.xz
 0b09f929fb782060d6594b90aa49d8d7326bebd5 5582 cpio_2.14+dfsg-1_amd64.buildinfo
Checksums-Sha256:
 1317473ea3b00cebce77af6ed954f98088087a460aa7a804c87c5def78b990a3 1906 cpio_2.14+dfsg-1.dsc
 a45e1c39445fe663e0184d4d72b9f3d5f7ca273e875ce1992fafe49babff592c 1515680 cpio_2.14+dfsg.orig.tar.bz2
 345cacb20aa4407f5db41ce9ea47c53a0304db8cec7031536f033bc1c44ac957 15096 cpio_2.14+dfsg-1.debian.tar.xz
 d3468c3b3527726a39db610cd94eecd15c718cd96e9c9f46251ea9cdce4f6273 5582 cpio_2.14+dfsg-1_amd64.buildinfo
Files:
 24196598763567c4564a0444d0f4863e 1906 utils important cpio_2.14+dfsg-1.dsc
 a13f5918ce2580c1da5ea98dd8b34722 1515680 utils important cpio_2.14+dfsg.orig.tar.bz2
 33392e3b8e3a8d5acf3ef044ef2ace1c 15096 utils important cpio_2.14+dfsg-1.debian.tar.xz
 75094246fbcf85ac90766840c2d36711 5582 utils important cpio_2.14+dfsg-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEExgRcgTiHt3wt/5elfFas/pR4l9gFAmWFIcUACgkQfFas/pR4
l9hmTQ//SNNwjdHybVL6YDzuOy4I0mfLiWzu22NJyl6LrkpX5fhvL6RKKAN8gkSE
OuT/WE3HnXF4Yi/zyYxdzCHAJMrRNzIq9gGU77trgMGiFRrL/oLvAZt02a4TfwkE
ZvnWjpgws/jw3hQRik0SMK0u60G+IVDWjSu3EeJWaQudw6ssdOKpc+OBFTQpXwYI
2W6NhXTEMpKIPChUXLevHlPJOf9XvA8CA/NxRyGpAUt9d0miubE4qjLGVo617Jv7
CXoy/vACeK47nd4POYaSXqqo2M96btqc8AKPMkdk9/ZlHR9PEor0GWVCatXyXckK
7oWBoUdCuwsMu3mRukDd+sPNyIdtvakLzdRLn5VzeWviqVSRmn1PZDYWA74S37Ur
QQe8G8V3kdr33vkTrQV3feFcYnH1v0zupMb9lqCCuiVdXmgK0AbBUwdtrgvYH9M4
0EGm13k1pvLH2EU7cHVV1kArGgTqXKcQ1ewyoCYLo4+8THTUPaa7VeQQtuzLycCC
U1UPs+YRLt+3TdltOpXdq0kO8xYPCKriy8cArpvpVzwc62DVR8cF6kPro0b8OJzA
4sEoyKsNSafRoRn6McNfmydQEs0wPIeCe4t7TKTX55NKSyEy/10jKJtDXjCstKNg
NSpQkefjoaPMKsnxUzu/t2OI9CTcNEz/0DFoRqQOXt1Rbl3yYrc=
=yVvG
-----END PGP SIGNATURE-----

Hi Anibal,

Thanks for this upload to unstable. Can you check if the upstream
redone changes for CVE-2015-1197 are backportable, and if so can you
address the issue in the upcoming point releases for bookworm and
bullseye?

Regards,
Salvatore

Sure.

The commit in question is at:

https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=376d663340a9dc91c91a5849e5713f07571c1628

Hi Anibal,

Great, thanks a lot.

I have added the above as well for reference in the security-tracker.

Regards,
Salvatore

It looks good to me.

Regards,

Ingo

Please refer to this path traversal vulnerability as CVE-2023-7207.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-7207

Control: retitle -1 cpio: CVE-2023-7207: Path traversal vulnerability due to partial revert of fix for CVE-2015-1197

Thanks Mark. Added it as such to our tracker.

Anibal, the dates are not fixed yet, but the point releases are
exepcted around beginning of february.

Regards,
Salvatore