1 |
type: security |
2 |
subject: Updated cpio packages fix security vulnerabilities |
3 |
CVE: |
4 |
- CVE-2015-1197 |
5 |
- CVE-2019-14866 |
6 |
src: |
7 |
7: |
8 |
core: |
9 |
- cpio-2.13-1.mga7 |
10 |
description: | |
11 |
in cpio 2.11, when using the --no-absolute-filenames option, allows local |
12 |
users to write to arbitrary files via a symlink attack on a file in an |
13 |
archive (CVE-2015-1197). |
14 |
|
15 |
Thomas Habets discovered that GNU cpio incorrectly handled certain |
16 |
inputs. An attacker could possibly use this issue to privilege escalation |
17 |
(CVE-2019-14866). |
18 |
|
19 |
cpio has been updated to 2.13 that fixes theese issues. |
20 |
references: |
21 |
- https://bugs.mageia.org/show_bug.cgi?id=25680 |
22 |
- https://usn.ubuntu.com/4176-1/ |