Advisories MDKSA-2007:233: Updated cpio package fixes buffer overflow and directory traversal vulnerabilities

[paul]

Buffer overflow in the safer_name_suffix function in GNU cpio

has unspecified attack vectors and impact, resulting in a crashing

stack. This problem is originally found in tar, but affects cpio too,

due to similar code fragments. (CVE-2007-4476)

 

Directory traversal vulnerability in cpio 2.6 and earlier allows remote

attackers to write to arbitrary directories via a .. (dot dot) in a

cpio file. This is an old issue, affecting only Mandriva Corporate

Server 4 and Mandriva Linux 2007. (CVE-2005-1229)

 

Updated package fixes these issues.