Two vulnerabilities have been found in GNU cpio, the worst of which could result in execution of arbitrary code.
|Package||app-arch/cpio on all architectures|
|Affected versions||< 2.11-r3|
|Unaffected versions||>= 2.11-r3|
GNU cpio copies files into or out of a cpio or tar archive.
Two vulnerabilities have been discovered in GNU cpio:
A remote attacker may be able to entice a user to open a specially crafted archive using GNU cpio, possibly resulting in execution of arbitrary code, a Denial of Service condition, or overwriting arbitrary files.
There is no known workaround at this time.
All GNU cpio users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=app-arch/cpio-2.11-r3"