Note: this bug is actually a duplicate of CVE-2015-1197. See CVE-2015-1197 for information regarding this. A possible --no-absolute-filenames bypass while extracting a malicious archive in cpio. This allows for arbitrary file creation.
External References: http://lists.gnu.org/archive/html/bug-cpio/2017-06/msg00001.html
Created cpio tracking bugs for this issue: Affects: fedora-all [bug 1539688]
Acknowledgments: Name: Cedric Buissart (Red Hat)
Hi Cedric, Isn't that a duplicate of CVE-2015-1197? Regards, Salvatore
Sorry to be more specific, there are references in the MITRE entry at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1197 . https://lists.gnu.org/archive/html/bug-cpio/2015-01/msg00000.html Was posted on the cpio bug list, but I think it never got a reply. Several distributions seem to have then applied the patch from SuSE (at least in Debian, SUSE, Ubuntu, Mageia). Regards, Salvatore
Hi Doran, hi Cedric https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7516 has been updated. Regards, Salvatore
Hi Salvatore, Ouch ... thanks! I had missed it :(
*** This bug has been marked as a duplicate of bug 1179773 ***