Security
Security
A vulnerability has been discovered in cpio, which can lead to arbitrary code execution.
| Package | app-arch/cpio on all architectures |
|---|---|
| Affected versions | < 2.13-r1 |
| Unaffected versions | >= 2.13-r1 |
cpio is a file archival tool which can also read and write tar files.
Multiple vulnerabilities have been discovered in cpio. Please review the CVE identifiers referenced below for details.
GNU cpio allows attackers to execute arbitrary code via a crafted pattern file, because of a dstring.c ds_fgetstr integer overflow that triggers an out-of-bounds heap write. NOTE: it is unclear whether there are common cases where the pattern file, associated with the -E option, is untrusted data.
There is no known workaround at this time.
All cpio users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=app-arch/cpio-2.13-r1"
Release date
July 01, 2024
Latest revision
July 01, 2024: 1
Severity
normal
Exploitable
local
Bugzilla entries