#Debian stable cpio is currently #vulnerable to path traversal due to reverting a security patch for CVE-2015-1197. This allows malicious cpio archives to overwrite arbitrary files with permission of the user extracting the archive (think of crontab files, .authorized_keys, .bash_profile or similar). Note that tools and applications calling cpio indirectly are vulnerable as well. cpio update fixing this #vulnerability should become available shortly.
It should be noted that attacks towards this #vulnerability may be able to hide the fact that the attack vector is a cpio archive. Some tools do not depend on the filename extension when determining how to decompress a file, and thus might extract the file with cpio command even if the filename extension is different.
So for now I would recommend caution when extracting archives originating from unknown sources, at least when utilizing "smart" tools for decompression.
Add comment