GNU cpio through 2.13 allows attackers to execute arbitrary code via a crafted pattern file, because of a dstring.c ds_fgetstr integer overflow that triggers an out-of-bounds heap write. NOTE: it is unclear whether there are common cases where the pattern file, associated with the -E option, is untrusted data.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2021-08-07T00:00:00

Updated: 2024-08-04T01:37:16.303Z

Reserved: 2021-08-07T00:00:00

Link: CVE-2021-38185

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2021-08-08T00:15:07.027

Modified: 2023-06-04T22:15:22.327

Link: CVE-2021-38185

cve-icon Redhat

Severity : Moderate

Publid Date: 2021-08-06T00:00:00Z

Links: CVE-2021-38185 - Bugzilla