Bug 1218571 (CVE-2023-7207)

Summary: VUL-0: CVE-2023-7207: cpio: Security vulnerability in Debian's cpio 2.13
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P3 - Medium CC: abergmann, danilo.spinella, stoyan.manolov
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/390128/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-7207:4.0:(AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-01-05 14:37:12 UTC 
Posted by Mark Esler on Jan 05
Please refer to this path traversal vulnerability as CVE-2023-7207.

Upstream fix:
https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=376d663340a9dc91c91a5849e5713f07571c1628

References:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059163
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-7207
Comment 1 Alexander Bergmann 2024-01-05 14:39:39 UTC 
The NVD CVE page is not up-to-date. Please check MITRE instead:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-7207
Comment 4 Maintenance Automation 2024-01-26 12:30:09 UTC 
SUSE-SU-2024:0238-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1218571
CVE References: CVE-2023-7207
Sources used:
openSUSE Leap 15.4 (src): cpio-2.13-150400.3.3.1
openSUSE Leap Micro 5.3 (src): cpio-2.13-150400.3.3.1
openSUSE Leap Micro 5.4 (src): cpio-2.13-150400.3.3.1
openSUSE Leap 15.5 (src): cpio-2.13-150400.3.3.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src): cpio-2.13-150400.3.3.1
SUSE Linux Enterprise Micro 5.3 (src): cpio-2.13-150400.3.3.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src): cpio-2.13-150400.3.3.1
SUSE Linux Enterprise Micro 5.4 (src): cpio-2.13-150400.3.3.1
SUSE Linux Enterprise Micro 5.5 (src): cpio-2.13-150400.3.3.1
Basesystem Module 15-SP5 (src): cpio-2.13-150400.3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Maintenance Automation 2024-01-26 16:30:27 UTC 
SUSE-SU-2024:0248-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1218571
CVE References: CVE-2023-7207
Sources used:
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): cpio-2.11-36.18.1
SUSE Linux Enterprise Server 12 SP5 (src): cpio-2.11-36.18.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): cpio-2.11-36.18.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Maintenance Automation 2024-02-01 20:30:09 UTC 
SUSE-SU-2024:0305-1: An update that has two security fixes can now be installed.

Category: security (moderate)
Bug References: 1218571, 1219238
Sources used:
openSUSE Leap 15.4 (src): cpio-2.13-150400.3.6.1
openSUSE Leap Micro 5.3 (src): cpio-2.13-150400.3.6.1
openSUSE Leap Micro 5.4 (src): cpio-2.13-150400.3.6.1
openSUSE Leap 15.5 (src): cpio-2.13-150400.3.6.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src): cpio-2.13-150400.3.6.1
SUSE Linux Enterprise Micro 5.3 (src): cpio-2.13-150400.3.6.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src): cpio-2.13-150400.3.6.1
SUSE Linux Enterprise Micro 5.4 (src): cpio-2.13-150400.3.6.1
SUSE Linux Enterprise Micro 5.5 (src): cpio-2.13-150400.3.6.1
Basesystem Module 15-SP5 (src): cpio-2.13-150400.3.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Maintenance Automation 2024-03-08 20:30:01 UTC 
SUSE-SU-2024:0825-1: An update that has two security fixes can now be installed.

Category: security (moderate)
Bug References: 1218571, 1219238
Sources used:
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): cpio-2.11-36.21.1
SUSE Linux Enterprise Server 12 SP5 (src): cpio-2.11-36.21.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): cpio-2.11-36.21.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Maintenance Automation 2024-03-08 20:30:04 UTC 
SUSE-SU-2024:0824-1: An update that solves one vulnerability and has one security fix can now be installed.

Category: security (moderate)
Bug References: 1218571, 1219238
CVE References: CVE-2023-7207
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): cpio-2.12-150000.3.12.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): cpio-2.12-150000.3.12.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): cpio-2.12-150000.3.12.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): cpio-2.12-150000.3.12.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): cpio-2.12-150000.3.12.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): cpio-2.12-150000.3.12.1
SUSE Enterprise Storage 7.1 (src): cpio-2.12-150000.3.12.1
SUSE Linux Enterprise Micro 5.1 (src): cpio-2.12-150000.3.12.1
SUSE Linux Enterprise Micro 5.2 (src): cpio-2.12-150000.3.12.1
SUSE Linux Enterprise Micro for Rancher 5.2 (src): cpio-2.12-150000.3.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Marcus Meissner 2024-04-16 09:46:35 UTC 
done
Comment 16 Maintenance Automation 2024-05-13 12:30:01 UTC 
SUSE-SU-2024:0305-2: An update that solves one vulnerability and has one security fix can now be installed.

Category: security (moderate)
Bug References: 1218571, 1219238
CVE References: CVE-2023-7207
Maintenance Incident: [SUSE:Maintenance:32275](https://smelt.suse.de/incident/32275/)
Sources used:
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src):
 cpio-2.13-150400.3.6.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src):
 cpio-2.13-150400.3.6.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src):
 cpio-2.13-150400.3.6.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src):
 cpio-2.13-150400.3.6.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src):
 cpio-2.13-150400.3.6.1
SUSE Manager Proxy 4.3 (src):
 cpio-2.13-150400.3.6.1
SUSE Manager Retail Branch Server 4.3 (src):
 cpio-2.13-150400.3.6.1
SUSE Manager Server 4.3 (src):
 cpio-2.13-150400.3.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.