CVE-2014-9112

Publication date 2 December 2014

Last updated 24 July 2024

Ubuntu priority

Heap-based buffer overflow in the process_copy_in function in GNU Cpio 2.11 allows remote attackers to cause a denial of service via a large block value in a cpio archive.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
cpio	14.10 utopic	Fixed 2.11+dfsg-2ubuntu1.1
	14.04 LTS trusty	Fixed 2.11+dfsg-1ubuntu1.1
	12.04 LTS precise	Fixed 2.11-7ubuntu3.1
	10.04 LTS lucid	Fixed 2.10-1ubuntu2.1

Notes

mdeslaur

PoC: http://lcamtuf.coredump.cx/afl/vulns/lesspipe-cpio-bad-write.cpio

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
cpio	Upstream: ?id=746 Upstream: ?id=54d Upstream: ?id=58d Upstream: ?id=fd2 Upstream: ?id=f6a Vendor: https://www.debian.org/security/2014/dsa-3111

References

Related Ubuntu Security Notices (USN)