CVE-2019-14866

Hi Sergey, Thomas and cpio Debian maintainers

I have been preparing fixes for CVE-2019-14866 for Debian oldstable and oldoldstable. While doing that I realized that the patch mentioned here (1) do work for amd64 but do not work for i386.

I was able to build on both amd64 and i386 but the fix obviously did not work on i386 since I could reproduce the problem.

I think the reason for this is that a long is 32 bit on i386 while it is 64 bits on amd64.

(1) https://lists.gnu.org/archive/html/bug-cpio/2019-08/msg00003.html

The fix is very simple. Change the "long" to a "long long" in to_out_or_error.

With that correction it works when I build and test on i386.

Please let me know what you think. I'm going to upload a fixed package to debian old and oldold stable tomorrow.

Best regards

// Ola

--- Inguza Technology AB --- MSc in Information Technology ----

| ola@inguza.com opal@debian.org |

| http://inguza.com/ Mobile: +46 (0)70-332 1551 |

---------------------------------------------------------------

Reply to:

Follow-Ups:

Re: CVE-2019-14866
- From: Ola Lundqvist <ola@inguza.com>
Re: CVE-2019-14866
- From: Sergey Poznyakoff <gray@gnu.org.ua>