CVE-2014-1197

Name of the Vulnerable Software and Affected Versions GNU Cpio version 2.11

Description The issue allows a rogue archive to write files outside the current directory by bypassing the --no-absolute-filenames option using symlinks. While extracting an archive, GNU Cpio will extract symlinks and then follow them if they are referenced in further entries.

Recommendations For GNU Cpio version 2.11, consider avoiding the use of the --no-absolute-filenames option until a patch is available, and restrict access to symlinks in archives to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.