An out of bounds write was found in a way cpio parses certain cpio files. A specially crafted file can cause the application to crash. Original bug report with reproducer: http://seclists.org/oss-sec/2016/q1/136
Created cpio tracking bugs for this issue: Affects: fedora-all [bug 1300208]
Upstream fix: https://lists.gnu.org/archive/html/bug-cpio/2016-01/msg00005.html
may I ask why this issue was closed as "WONTFIX"? The cpio version in Fedora 22 and RHEL 7 are affected and are not patched. According to LWN (lwn.net/Vulnerabilities/675700/), the issue is an out-of-bounds-write. cpio might be invoked by amavisd-new email content scanner.
alright, so there's a tracking bug for Fedora. Mea culpa. Still RHEL seems affected, too.
It's not uncommon for us to close security issues as WONTFIX if we think that they are not critical enough to warrant an immediate security fix. If you can provide us with additional information, concerns or further questions, you are welcome to contact us via secalert