Arch Linux Security Advisory ASA-201501-5 ========================================= Severity: Medium Date : 2015-01-14 CVE-ID : CVE-2014-9112 Package : cpio Type : heap buffer overflow Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package cpio before version 2.11-5 is vulnerable to a heap buffer overflow. Resolution ========== Upgrade to 2.11-5. # pacman -Syu "cpio>=2.11-5" The problem has been fixed upstream but no release is available yet. Workaround ========== None. Description =========== A heap-based buffer overflow flaw was reported in cpio's list_file() function. Attempting to extract a malicious cpio archive could cause cpio to crash or, potentially, execute arbitrary code. As noted in the original report, this issue could be trigger via other utilities, such as when running "less". Impact ====== An attacker is able to craft a malicious cpio archive which could cause cpio to crash or, potentially, execute arbitrary code. This issue could also be trigger via other utilities, such as when running "less". References ========== http://seclists.org/oss-sec/2014/q4/818 https://savannah.gnu.org/bugs/?43709 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9112