UbuntuUpdates.org

Package "cpio"

Name: cpio

Description:

This package is just an umbrella for a group of other packages, it has no description.
Description samples from packages in group:

  • GNU cpio -- a program to manage archives of files (win32 build)

Latest version: 2.13+dfsg-7ubuntu0.1
Release: jammy (22.04)
Level: updates
Repository: universe

Links



Other versions of "cpio" in Jammy

Repository Area Version
base main 2.13+dfsg-7
base universe 2.13+dfsg-7
security main 2.13+dfsg-7ubuntu0.1
security universe 2.13+dfsg-7ubuntu0.1
updates main 2.13+dfsg-7ubuntu0.1

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 2.13+dfsg-7ubuntu0.1 2024-04-29 13:07:02 UTC

  cpio (2.13+dfsg-7ubuntu0.1) jammy-security; urgency=medium

  * SECURITY UPDATE: Path traversal vulnerability
    - debian/patches/CVE-2023-7207.patch: Create symlink placeholder
      if --no-absolute-filenames was given and replace placeholders
      after extraction.
    - debian/patches/revert-CVE-2015-1197-handling.patch: Removed.
    - CVE-2023-7207

 -- Fabian Toepfer <email address hidden> Sun, 28 Apr 2024 14:30:36 +0200

CVE-2023-7207 Debian's cpio contains a path traversal vulnerability. This issue was introduced by reverting CVE-2015-1197 patches which had caused a regression in
CVE-2015-1197 cpio 2.11, when using the --no-absolute-filenames option, allows local users to write to arbitrary files via a symlink attack on a file in an archive



About   -   Send Feedback to @ubuntu_updates