Advisories » MGASA-2019-0326

Updated cpio packages fix security vulnerabilities

Publication date: 14 Nov 2019
Modification date: 14 Nov 2019
Type: security
Affected Mageia releases : 7
CVE: CVE-2015-1197 , CVE-2019-14866

Description

in cpio 2.11, when using the --no-absolute-filenames option, allows local
users to write to arbitrary files via a symlink attack on a file in an
archive (CVE-2015-1197).

Thomas Habets discovered that GNU cpio incorrectly handled certain
inputs. An attacker could possibly use this issue to privilege escalation
(CVE-2019-14866).

cpio has been updated to 2.13 that fixes theese issues.
                

References

• https://bugs.mageia.org/show_bug.cgi?id=25680
• https://usn.ubuntu.com/4176-1/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1197
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14866

SRPMS

7/core

• cpio-2.13-1.mga7