CVE-2021-38185: 
NixOS vulnerability analysis and mitigation

GNU cpio through version 2.13 contains a critical vulnerability (CVE-2021-38185) discovered in August 2021. The vulnerability allows attackers to execute arbitrary code through a crafted pattern file due to an integer overflow in the dstring.c ds_fgetstr function, which triggers an out-of-bounds heap write. The vulnerability specifically affects the pattern file functionality associated with the -E option (NVD).

The vulnerability stems from an integer overflow condition in the ds_fgetstr function within dstring.c. This overflow leads to an out-of-bounds heap write, which can be exploited to achieve arbitrary code execution. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High), with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-190 (Integer Overflow or Wraparound) (NVD).

When successfully exploited, this vulnerability allows attackers to execute arbitrary code on the affected system. The exploit can bypass all binary protections except full RELRO. The vulnerability requires significant system resources to exploit, with testing showing successful execution on systems with at least 12GB of RAM due to the need to process gigabytes of input (GitHub POC).

The vulnerability was fixed in GNU cpio with commit dd96882877721703e19272fe25034560b794061b, which rewrote the dynamic string support functionality. Various Linux distributions have released security updates to address this vulnerability. For example, Debian 10 (buster) fixed this issue in version 2.12+dfsg-9+deb10u1 (Debian LTS).

The vulnerability was initially reported by two CS students from Duke University, Maverick Chung and Qiaoyi Fang, who discovered and developed a proof-of-concept exploit. The maintainers responded promptly to the disclosure, with Sergey Poznyakoff implementing a fix shortly after the report (GNU List, GNU Fix).