CVE-2023-7216

NameCVE-2023-7216
DescriptionA path traversal vulnerability was found in the CPIO utility. This issue could allow a remote unauthenticated attacker to trick a user into opening a specially crafted archive. During the extraction process, the archiver could follow symlinks outside of the intended directory, this allows writing files in arbitrary directories through symlinks.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Notes

Disputed cpio issue, probably going to be rejected
https://bugzilla.redhat.com/show_bug.cgi?id=2249901
Upstream considers it normal behavior:
https://lists.gnu.org/archive/html/bug-cpio/2024-03/msg00000.html
Search for package or bug name: Reporting problems