#VU33721 Input validation error in cpio


Published: 2015-02-19 | Updated: 2020-08-04

Vulnerability identifier: #VU33721

Vulnerability risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2015-1197

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
cpio
Client/Desktop applications / Software for archiving

Vendor: GNU

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

cpio 2.11, when using the --no-absolute-filenames option, allows local users to write to arbitrary files via a symlink attack on a file in an archive. <a href="http://cwe.mitre.org/data/definitions/61.html">CWE-61: UNIX Symbolic Link (Symlink) Following</a>

Mitigation
Install update from vendor's website.

Vulnerable software versions

cpio: 2.11

External links
http://advisories.mageia.org/MGASA-2015-0080.html
http://www.mandriva.com/security/advisories?name=MDVSA-2015:066
http://www.openwall.com/lists/oss-security/2015/01/07/5
http://www.openwall.com/lists/oss-security/2015/01/18/7
http://www.securityfocus.com/bid/71914
http://www.ubuntu.com/usn/USN-2906-1
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774669
http://lists.gnu.org/archive/html/bug-cpio/2015-01/msg00000.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Amazon Linux AMI update for cpio
openEuler 22.03 LTS SP1 update for cpio
openEuler 22.03 LTS update for cpio
openEuler 20.03 LTS SP3 update for cpio
openEuler 20.03 LTS SP1 update for cpio
Input validation error in cpio (Alpine package)
Input validation error in GNU cpio
Gentoo update for GNU cpio