Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 536010 (CVE-2015-1197) - <app-arch/cpio-2.11-r2: directory traversal through symlinks (CVE-2015-1197)
Summary: <app-arch/cpio-2.11-r2: directory traversal through symlinks (CVE-2015-1197)
Alias: CVE-2015-1197
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [glsa glsa]
Depends on: CVE-2014-9112
  Show dependency tree
Reported: 2015-01-08 10:37 UTC by Agostino Sarubbo
Modified: 2019-11-14 19:06 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-01-08 10:37:56 UTC
From ${URL} :

It was reported [1] that cpio is susceptible to a directory traversal vulnerability.

Original report follows:
While extracting an archive, it will extract symlinks and then follow them if 
they are referenced in further entries. This can be exploited by a rogue 
archive to write files outside the current directory.


1) create a sample archive:

ln -s /tmp dir
echo dir | cpio -oF test.cpio
rm dir
mkdir dir
echo hello > dir/file
echo dir/file | cpio -oAF test.cpio
rm -r dir

2) test it:

cpio --no-absolute-filenames -ivF test.cpio

This will create a symlink "dir" in the current directory and a file 

No patches are available at this time.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Tony Vroon gentoo-dev 2015-01-09 11:43:36 UTC
+*cpio-2.11-r2 (09 Jan 2015)
+  09 Jan 2015; Tony Vroon <> +cpio-2.11-r2.ebuild,
+  +files/cpio-2.11-security.patch:
+  Scavenge upstream bug fixes for heap-based buffer overflow and directory
+  traversal through symlinks. For security bugs #530512 and #536010.

Suggest stabilisation is handled in bug #530512.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2015-02-15 14:50:06 UTC
This issue was resolved and addressed in
 GLSA 201502-11 at
by GLSA coordinator Kristian Fiskerstrand (K_F).
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2015-03-03 14:25:17 UTC
CVE-2015-1197 (
  cpio 2.11, when using the --no-absolute-filenames option, allows local users
  to write to arbitrary files via a symlink attack on a file in an archive.
Comment 4 Alexander Tsoy 2019-11-14 19:06:05 UTC
cpio-2.11-security.patch was dropped with 2.12 bump [1]. And upstream fixed this security issue in 2.13 [2] (currently pmasked). Should this bug be reopened?