|Description||Race condition in cpio 2.6 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by cpio after the decompression is complete.|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)|
|NVD severity||low (attack range: local)|
Vulnerable and fixed packages
The table below lists information on source packages.
|cpio (PTS)||wheezy, wheezy (security)||2.11+dfsg-0.1+deb7u2||fixed|
|jessie (security), jessie||2.11+dfsg-4.1+deb8u1||fixed|
|buster, sid, stretch||2.11+dfsg-6||fixed|
The information below is based on the following data on fixed versions.