Security update for cpio SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:2593-1 Final 1 1 2019-11-30T19:16:20Z current 2019-11-30T19:16:20Z 2019-11-30T19:16:20Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for cpio This update for cpio fixes the following issues: - CVE-2019-14866: Fixed an improper validation of the values written in the header of a TAR file through the to_oct() function which could have led to unexpected TAR generation (bsc#1155199). This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2019-2593 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/S6XCUOVCXNQ6F2SKISA7LWT5WFS5W7MT/#S6XCUOVCXNQ6F2SKISA7LWT5WFS5W7MT E-Mail link for openSUSE-SU-2019:2593-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1155199 SUSE Bug 1155199 https://www.suse.com/security/cve/CVE-2019-14866/ SUSE CVE CVE-2019-14866 page openSUSE Leap 15.0 cpio-2.12-lp150.2.3.1 cpio-lang-2.12-lp150.2.3.1 cpio-mt-2.12-lp150.2.3.1 cpio-2.12-lp150.2.3.1 as a component of openSUSE Leap 15.0 cpio-lang-2.12-lp150.2.3.1 as a component of openSUSE Leap 15.0 cpio-mt-2.12-lp150.2.3.1 as a component of openSUSE Leap 15.0 In all versions of cpio before 2.13 does not properly validate input files when generating TAR archives. When cpio is used to create TAR archives from paths an attacker can write to, the resulting archive may contain files with permissions the attacker did not have or in paths he did not have access to. Extracting those archives from a high-privilege user without carefully reviewing them may lead to the compromise of the system. CVE-2019-14866 openSUSE Leap 15.0:cpio-2.12-lp150.2.3.1 openSUSE Leap 15.0:cpio-lang-2.12-lp150.2.3.1 openSUSE Leap 15.0:cpio-mt-2.12-lp150.2.3.1 moderate 6.9 AV:L/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/S6XCUOVCXNQ6F2SKISA7LWT5WFS5W7MT/#S6XCUOVCXNQ6F2SKISA7LWT5WFS5W7MT https://www.suse.com/security/cve/CVE-2019-14866.html CVE-2019-14866 https://bugzilla.suse.com/1155199 SUSE Bug 1155199