CVE-2023-7216

NameCVE-2023-7216
DescriptionA path traversal vulnerability was found in the CPIO utility. This issue could allow a remote unauthenticated attacker to trick a user into opening a specially crafted archive. During the extraction process, the archiver could follow symlinks outside of the intended directory, which could be utilized to run arbitrary commands on the target system.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
cpio (PTS)buster2.12+dfsg-9vulnerable
buster (security)2.12+dfsg-9+deb10u1vulnerable
bullseye2.13+dfsg-7.1~deb11u1vulnerable
bookworm2.13+dfsg-7.1vulnerable
trixie, sid2.15+dfsg-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
cpiosource(unstable)(unfixed)

Notes

https://bugzilla.redhat.com/show_bug.cgi?id=2249901
https://lists.gnu.org/archive/html/bug-cpio/2024-02/msg00000.html

Search for package or bug name: Reporting problems