In all versions of cpio before 2.13 does not properly validate input files when generating TAR archives. When cpio is used to create TAR archives from paths an attacker can write to, the resulting archive may contain files with permissions the attacker did not have or in paths he did not have access to. Extracting those archives from a high-privilege user without carefully reviewing them may lead to the compromise of the system.
References
Link | Resource |
---|---|
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14866 | Exploit Issue Tracking Mitigation Patch Third Party Advisory |
https://lists.debian.org/debian-lts-announce/2023/06/msg00007.html | |
https://lists.gnu.org/archive/html/bug-cpio/2019-08/msg00003.html | Mailing List Patch Third Party Advisory |
https://lists.gnu.org/archive/html/bug-cpio/2019-11/msg00000.html | Exploit Mailing List Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: redhat
Published: 2020-01-07T16:53:51
Updated: 2020-01-07T16:53:51
Reserved: 2019-08-10T00:00:00
Link: CVE-2019-14866
JSON object: View
NVD Information
Status : Modified
Published: 2020-01-07T17:15:11.377
Modified: 2023-06-04T22:15:21.953
Link: CVE-2019-14866
JSON object: View
Redhat Information
No data.
CWE