Bugzilla – Bug 1219619
VUL-0: CVE-2023-7216: cpio: extraction allows symlinks which enables Remote Command Execution
Last modified: 2024-04-25 14:55:58 UTC
A path traversal vulnerability was found in the CPIO utility. This issue could allow a remote unauthenticated attacker to trick a user into opening a specially crafted archive. During the extraction process, the archiver could follow symlinks outside of the intended directory, which could be utilized to run arbitrary commands on the target system. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-7216 https://bugzilla.redhat.com/show_bug.cgi?id=2249901 https://www.cve.org/CVERecord?id=CVE-2023-7216 https://access.redhat.com/security/cve/CVE-2023-7216
I don't see any fix upstream. I triggered the path traversal on: - SUSE:SLE-15-SP4:Update - SUSE:ALP:Source:Standard:1.0 - openSUSE:Factory
https://lists.gnu.org/archive/html/bug-cpio/2024-03/msg00000.html > First of all, I would like to confirm with you, do you accept > CVE-2023-7216? Is CVE-2023-7216 a bug or is it the default > behavior of cpio software? It is a normal behavior. Please use the --no-absolute-filenames option to avoid it, if it is not desired. Regards, Sergey