CLSA-2026-1777368104 Fix CVE(s): CVE-2023-39810

SECURITY UPDATE: directory traversal in cpio extraction - debian/patches/CVE-2023-39810.patch: add FEATUREPATHTRAVERSALPROTECTION config option, call stripunsafeprefix in dataextractall.c to prevent path traversal via ../ in archive filenames. Covers cpio, ar, rpm. - Enable...

EUVD-2021-1296

Malware in sbrugna...

SUSE-SU-2024:0305-1 Security update for cpio

This update for cpio fixes the following issues: - Fixed cpio not extracting correctly when using --no-absolute-filenames option the security fix for CVE-2023-7207 bsc1218571, bsc1219238...

SUSE-SU-2024:0825-1 Security update for cpio

This update for cpio fixes the following issues: - Fixed cpio not extracting correctly when using --no-absolute-filenames option the security fix for CVE-2023-7207 bsc1218571, bsc1219238...

UBUNTU-CVE-2023-52138

Engrampa is an archive manager for the MATE environment. Engrampa is found to be vulnerable to a Path Traversal vulnerability that can be leveraged to achieve full Remote Command Execution RCE on the target. While handling CPIO archives, the Engrampa Archive manager follows symlink, cpio by defau...

Exploit for Path Traversal in Zimbra Collaboration

cve-2022-41352 generate poc.tar $ chmod +x cpiopocgen...

CVE-2020-7666

This affects all versions of package github.com/u-root/u-root/pkg/cpio. It is vulnerable to leading, non-leading relative path traversal attacks and symlink based relative and absolute path traversal attacks in cpio file extraction...

Arbitrary File Write via Archive Extraction (Zip Slip)

Overview github.com/u-root/u-root/pkg/cpio is a package that provides Go versions of standard Linux tools and bootloaders. It also provides tools for compiling Go programs in a single binary and creating initramfs images. Affected versions of this package are vulnerable to Arbitrary File Write vi...

CVE-2020-7667

In package github.com/sassoftware/go-rpmutils/cpio before version 0.1.0, the CPIO extraction functionality doesn't sanitize the paths of the archived files for leading and non-leading ".." which leads in file extraction outside of the current directory. Note: the fixing commit was applied to all...

Design/Logic Flaw

In package github.com/sassoftware/go-rpmutils/cpio before version 0.1.0, the CPIO extraction functionality doesn't sanitize the paths of the archived files for leading and non-leading ".." which leads in file extraction outside of the current directory. Note: the fixing commit was applied to all...

CVE-2020-7667

In CVE-2020-7667, the go-rpmutils/cpio component allowed directory traversal via CPIO extraction due to improper sanitization of leading/non-leading “..” in archived paths. The fixing commit was applied to all affected versions and those releases were re-released; remediation is to update to a ve...