cpio: directory traversal

ID ASA-201503-22
Type archlinux
Reporter Arch Linux
Modified 2015-03-23T00:00:00


It was reported that cpio is vulnerable to a directory traversal vulnerability when using the --no-absolute-filenames option. While extracting an archive, it will extract symlinks and then follow them if they are referenced in further entries. This can be exploited by a rogue archive to write to files outside the current directory.