type: security
subject: Updated cpio packages fix security vulnerabilities
CVE:
 - CVE-2015-1197
 - CVE-2019-14866
src:
  7:
   core:
     - cpio-2.13-1.mga7
description: |
  in cpio 2.11, when using the --no-absolute-filenames option, allows local
  users to write to arbitrary files via a symlink attack on a file in an
  archive (CVE-2015-1197).

  Thomas Habets discovered that GNU cpio incorrectly handled certain
  inputs. An attacker could possibly use this issue to privilege escalation
  (CVE-2019-14866).

  cpio has been updated to 2.13 that fixes theese issues.
references:
 - https://bugs.mageia.org/show_bug.cgi?id=25680
 - https://usn.ubuntu.com/4176-1/