Opened 4 months ago
Closed 4 months ago
#19070 closed enhancement (fixed)
xarchiver-0.5.4.22
| Reported by: | Douglas R. Reno | Owned by: | Douglas R. Reno |
|---|---|---|---|
| Priority: | normal | Milestone: | 12.1 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description
New patch version
Change History (4)
comment:1 by , 4 months ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 4 months ago
comment:3 by , 4 months ago
This appears to be https://github.com/ib/xarchiver/issues/183, where the fix was to reject versions of CPIO prior to 2.12. We have 2.14, so we're all good to go here. https://github.com/ib/xarchiver/commit/85dcd9058a528181c786da1899b68110301d1aa1
The rest of the changes can be found here: https://github.com/ib/xarchiver/compare/0.5.4.21...0.5.4.22
No security advisory is necessary
comment:4 by , 4 months ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Note:
See TracTickets
for help on using tickets.
I'm going to dig into this a bit and see what this fix is, as it might be a workaround for Debian's reverting of CPIO security patches, which has made Debian vulnerable to path traversal vulnerabilities again