Directory traversal vulnerability in cpio 2.6 and earlier allows remote attackers to write to arbitrary directories via a .. (dot dot) in a cpio file.
This issue should also affect RHEL2.1 and RHEL3
Here's the original post: http://marc.theaimsgroup.com/?l=bugtraq&m=111403177526312&w=2
Created attachment 115079 [details] fix candidate Replace option --no-absolute-filenames with --absolute-filenames Not allow insecure filenames like "/tmp/../../etc/cron/..." ( strip "/tmp/../../") but there is a still problem with symlinks in cpio http://lists.gnu.org/archive/html/bug-cpio/2005-05/msg00003.html
This is a funtionality change to fix something that is defined, documented behaviour. Therefore a security team review on 20051026 decided this should be marked as WONTFIX