Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 27 Dec 2023 12:46:54 +0100
From: Ingo Br├╝ckl <>
Cc: Markus Koschany <>
Subject: xarchiver: Path traversal with crafted cpio archives


I was alerted by febinrev on GitHub to a vulnerability in xarchiver that
stems from a vulnerability in cpio, which is called by xarchiver to extract
cpio and rpm archives.

It is a path traversal vulnerability with maliciously crafted cpio archives
that affects all cpio versions up to and including 2.12 (see CVE-2015-1197).
The vulnerability has been fixed in cpio 2.13.

However, due to two bug reports (#946267 and #946469), Debian has patched
cpio 2.13 which re-enables the path traversal vulnerability, thus affecting
all distributions that use Debian cpio 2.13 directly or have applied their
"revert-CVE-2015-1197-handling" patch. Debian has been informed and is
working on a security fix.

Instructions from febinrev to craft a cpio archive to demonstrate the

  mkdir test_cpio
  ln -sf /tmp/ test_cpio/tmp
  echo "TEST Traversal" > test_cpio/tmpYtrav.txt
  cd test_cpio/
  ls | cpio -ov > ../trav.cpio
  cd ../
  sed -i s/"tmpY"/"tmp\/"/g trav.cpio


  cpio -id --no-absolute-filenames -I trav.cpio

doesn't prevent path traversal with affected cpio versions, and such an
archive can be further obfuscated with file extensions such as .rar or

Malicious cpio archives that exploit this vulnerability can overwrite files
in locations such as ~/.ssh, ~/.bashrc, ~/.config/autostart/, etc.

In addition to xarchiver, all other GUI front-ends for archive management
that call cpio as a command-line program are most likely also affected!


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.