Advisories ยป MGASA-2019-0326

Updated cpio packages fix security vulnerabilities

Publication date: 14 Nov 2019
Modification date: 14 Nov 2019
Type: security
Affected Mageia releases : 7
CVE: CVE-2015-1197 , CVE-2019-14866

Description

in cpio 2.11, when using the --no-absolute-filenames option, allows local
users to write to arbitrary files via a symlink attack on a file in an
archive (CVE-2015-1197).

Thomas Habets discovered that GNU cpio incorrectly handled certain
inputs. An attacker could possibly use this issue to privilege escalation
(CVE-2019-14866).

cpio has been updated to 2.13 that fixes theese issues.
                

References

SRPMS

7/core