ALT-PU-2023-5721-3

Package update cpio in branch sisyphus

Version2.14.0.4.e3cc-alt1

Published2026-02-04

Max severityHIGH

Severity:

Closed issues (4)

HIGH7.3

Уязвимость компонента dstring.c пакета cpio операционной системы Debian GNU/Linux, позволяющая нарушителю выполнить произвольный код через созданный файл

Published: 2021-10-21Modified: 2026-01-20

CVSS 3.xHIGH 7.3

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CVSS 2.0MEDIUM 6.8

CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P

References

CVE-2021-38185

MEDIUM4.0

Уязвимость двоичного архиватора cpio, связанная с неправильным ограничением имени пути к ограниченному каталогу, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2024-09-04Modified: 2026-04-29

CVSS 3.xMEDIUM 4.0

CVSS:3.x/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CVSS 2.0LOW 2.1

CVSS:2.0/AV:L/AC:L/Au:N/C:N/I:P/A:N

References

CVE-2023-7207

HIGH7.8

GNU cpio through 2.13 allows attackers to execute arbitrary code via a crafted pattern file, because of a dstring.c ds_fgetstr integer overflow that triggers an out-of-bounds heap write. NOTE: it is unclear whether there are common cases where the pattern file, associated with the -E option, is untrusted data.

Published: 2021-08-08Modified: 2025-06-09

CVSS 2.0MEDIUM 6.8

CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS 3.xHIGH 7.8

CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

MEDIUM4.9

Debian's cpio contains a path traversal vulnerability. This issue was introduced by reverting CVE-2015-1197 patches which had caused a regression in --no-absolute-filenames. Upstream has since provided a proper fix to --no-absolute-filenames.

Published: 2024-02-29Modified: 2025-08-26

CVSS 3.xMEDIUM 4.9

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

References