CVE-2023-7216

NameCVE-2023-7216
DescriptionA path traversal vulnerability was found in the CPIO utility. This issue could allow a remote unauthenticated attacker to trick a user into opening a specially crafted archive. During the extraction process, the archiver could follow symlinks outside of the intended directory, which allows files to be written in arbitrary directories through symlinks.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Notes

Disputed cpio issue, probably going to be rejected
https://bugzilla.redhat.com/show_bug.cgi?id=2249901
Upstream considers it normal behavior:
https://lists.gnu.org/archive/html/bug-cpio/2024-03/msg00000.html
Search for package or bug name: Reporting problems