harrysintonen, #Debian stable cpio is currently #vulnerable to path traversal due to reverting a security patch for CVE-2015-1197. This allows malicious cpio archives to overwrite arbitrary files with permission of the user extracting the archive (think of crontab files, .authorized_keys, .bash_profile or similar). Note that tools and applications calling cpio indirectly are vulnerable as well. cpio update fixing this #vulnerability should become available shortly.
Add comment