It was reported [1] that bsdcpio tool from libarchive bundle is susceptible to a directory traversal vulnerability via absolute paths. Initial discussion: http://www.openwall.com/lists/oss-security/2015/01/07/5 Upstream report: https://groups.google.com/d/msg/libarchive-discuss/dN9y1VvE1Qk/Z9uerigjQn0J Proposed (minimal) fix (non-Windows): https://groups.google.com/group/libarchive-discuss/attach/a78932ecb50340ae/0001-Quick-n-dirty-fix-for-bsdcpio-directory-traversal-vu.patch?part=0.1 Discussion is ongoing, no upstream fix is available yet. [1]: http://seclists.org/oss-sec/2015/q1/145
Created libarchive tracking bugs for this issue: Affects: fedora-all [bug 1192488] Affects: epel-all [bug 1192489]
Statement: Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Upstream patch: https://github.com/libarchive/libarchive/commit/5935715