hi, On Sun, Jul 29, 2018 at 09:23:49AM +0200, Salvatore Bonaccorso wrote: > Control: tags -1 + patch > > Hi > > Upstream commit fixing the issue should be > > https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=7d55037f89ab630125c37e6fc571cf36bb0a94c3
Though, when applying since there was a previous fix for CVE-2016-2037 which did not land upstream afaics in this form, the commit will not apply cleanly per se and one needs to make sure CVE-2016-2037 is not re-opened. Upstream did apply another fix for CVE-2016-2037: https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=d36ec5f4e93130efb24fb9678aafd88e8070095b There is actually #851632 for the regression caused by our patch for CVE-2016-2037. So probably best approach is to revert our patch and apply the proper upstream patch (and close #851632). Regards, Salvatore
