Ubuntu
cpio package

Change logs for cpio source package in Focal

  1. Focal (20.04)
  2. Change log 
  • cpio (2.13+dfsg-2ubuntu0.4) focal-security; urgency=medium

  * SECURITY UPDATE: Path traversal vulnerability
    - debian/patches/CVE-2023-7207.patch: Create symlink placeholder
      if --no-absolute-filenames was given and replace placeholders
      after extraction.
    - debian/patches/revert-CVE-2015-1197-handling.patch: Removed.
    - CVE-2023-7207

 -- Fabian Toepfer <email address hidden>  Sun, 28 Apr 2024 14:31:25 +0200
  • cpio (2.13+dfsg-2ubuntu0.3) focal-security; urgency=medium

  * SECURITY UPDATE: arbitrary code execution via crafted pattern file
    - debian/patches/CVE-2021-38185.patch: rewrite dynamic string support
      in src/copyin.c, src/copyout.c, src/copypass.c, src/dstring.c,
      src/dstring.h, src/util.c.
    - debian/patches/CVE-2021-38185.2.patch: don't call ds_resize in a loop
      in src/dstring.c.
    - debian/patches/CVE-2021-38185.3.patch: fix dynamic string
      reallocations in src/dstring.c.
    - CVE-2021-38185

 -- Marc Deslauriers <email address hidden>  Wed, 25 Aug 2021 06:52:28 -0400
  • cpio (2.13+dfsg-2) unstable; urgency=medium

  * Fix a regression in handling of CVE-2015-1197 & --no-absolute-filenames by
    reverting part of an upstream commit. (Closes: #946267, #946469)
  * Add Vcs-Git and Vcs-Browser pointing to my personal Salsa repository (in
    lieu of anything at all).
  * Bump Standards-Version to 4.5.0.

 -- Chris Lamb <email address hidden>  Sat, 01 Feb 2020 14:11:00 +0100
  • cpio (2.13+dfsg-1) unstable; urgency=medium

  * New upstream release.
  * Autoreconf using version 1.16.1 and update autoreconf.patch.
  * Update patches:
    - Drop patch for CVE-2016-2037; applied upstream.
    - Drop CVE-2015-1197.patch; now addressed upstream.
    - Modify doc/Makefile.am (vs. doc/Makefile.in) prior to autoreconfing vs.
      the generated doc/Makefile.in.
    - Refresh whitespace, etc. in patches via pq import/export.
  * debian/control:
    - Bump Standards-Version to 4.4.1
    - Drop misleading Vcs-{Git,Browser}.
    - Use HTTPS Homepage URI.
    - Specify Rules-Requires-Root: binary-targets.

 -- Chris Lamb <email address hidden>  Wed, 20 Nov 2019 13:33:36 -0500
  • cpio (2.12+dfsg-9ubuntu1) focal; urgency=medium

  * SECURITY UPDATE: Improper input validation
    - debian/patches/CVE-2019-14866.patch: improve diagnostics,
      remove to_oct_or_error, adding new macro in
      src/copyout.c, src/extern.h, src/tar.c.
    - CVE-2019-14866

 -- <email address hidden> (Leonidas S. Barbosa)  Wed, 06 Nov 2019 13:53:33 -0300
  • cpio (2.12+dfsg-9) unstable; urgency=medium

  * Reinstate the call to update-alternatives(1) that I didnt see in the prerm
    script. Thanks again to Ivo De Decker. (Closes: #926698)

 -- Chris Lamb <email address hidden>  Tue, 23 Apr 2019 16:29:37 +0100