{"id":"MGASA-2019-0326","summary":"Updated cpio packages fix security vulnerabilities","details":"in cpio 2.11, when using the --no-absolute-filenames option, allows local\nusers to write to arbitrary files via a symlink attack on a file in an\narchive (CVE-2015-1197).\n\nThomas Habets discovered that GNU cpio incorrectly handled certain\ninputs. An attacker could possibly use this issue to privilege escalation\n(CVE-2019-14866).\n\ncpio has been updated to 2.13 that fixes theese issues.\n","modified":"2026-04-16T01:46:50.489107301Z","published":"2019-11-14T16:58:51Z","upstream":["CVE-2015-1197","CVE-2019-14866"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2019-0326.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=25680"},{"type":"WEB","url":"https://usn.ubuntu.com/4176-1/"}],"affected":[{"package":{"name":"cpio","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/cpio?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.13-1.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2019-0326.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}