[ MDVSA-2015:066 ] cpio

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:066
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : cpio
 Date    : March 27, 2015
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated cpio package fixes security vulnerability:
 
 In GNU Cpio 2.11, the --no-absolute-filenames option limits
 extracting contents of an archive to be strictly inside a current
 directory. However, it can be bypassed with symlinks. While extracting
 an archive, it will extract symlinks and then follow them if they
 are referenced in further entries. This can be exploited by a rogue
 archive to write files outside the current directory (CVE-2015-1197).
 _______________________________________________________________________

 Ref

007 Software

[ MDVSA-2015:066 ] cpio

Leave a Reply Cancel reply

Software and Security Information