Hello Yiğit, Sorry for the delay in responding to this issue. This issue was originally identified as CVE-2015-1197 and fixed around the same time frame. It was addressed in upstream cpio commit https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=45b0ee2b407913c533f7ded8d6f8cbeec16ff6ca in a differently taken approach when vendors fixed the issue in 2015. This differening behavior change resulted in the debian maintainer undoing the symlink mangling portion of the fix via https://salsa.debian.org/lamby/pkg- cpio/-/commit/1d1163018b2ca240a6a1c9404f7e05c3bfa62f94 and this is what has landed in focal and newer.
Relevant debian bug reports: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946267 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946469 upstream thread about the issue: https://lists.gnu.org/archive/html/bug-cpio/2019-11/msg00013.html Alas, at this time, it does not appear to have been addressed upstream. Thanks for the report. ** Bug watch added: Debian Bug tracker #946267 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946267 ** Bug watch added: Debian Bug tracker #946469 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946469 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2015-1197 ** Package changed: ubuntu => cpio (Ubuntu) ** Changed in: cpio (Ubuntu) Status: New => Confirmed ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cpio in Ubuntu. https://bugs.launchpad.net/bugs/1904615 Title: cpio symlink traversal Status in cpio package in Ubuntu: Confirmed Bug description: Summary: A malicious file may be able to overwrite arbitrary files Steps to reproduce: 1- Download "dirsymlink.cpio" 2- Extract it with "cpio -i < dirsymlink.cpio" command Proof of concept: dirsymlink.mp4 Version: Ubuntu 20.10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cpio/+bug/1904615/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
