Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 2 Feb 2015 18:48:35 +0100
From: Vitezslav Cizek <>
Subject: Re: CVE Request: cpio -- directory traversal


* Dne Friday 16. January 2015, 03:44:25 [CET] Alexander Cherepanov napsal:
> Hi!
> cpio is susceptible to a directory traversal vulnerability via symlinks.

Here's a patch we use in SUSE for some time.
It forbids to write over symlinks, similar to bsdtar.
It also adds a new option "--extract-over-symlinks" to restore the original

I sent it to Sergey Poznyakoff (upstream maintainer) in July,
but there was no response.

Here's a corresponding bug in SUSE bugzilla:

> Initial report:
> Upstream report:
> Some discussion:
> Could CVE(s) please be assigned?
> -- 
> Alexander Cherepanov

Vita Cizek

View attachment "cpio-check_for_symlinks.patch" of type "text/x-patch" (5057 bytes)

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ