Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.Test your applications
- Snyk ID SNYK-CENTOS8-CPIO-1970858
- published 17 Aug 2021
- disclosed 6 Aug 2021
How to fix?
cpio to version 0:2.12-11.el8 or higher.
Note: Versions mentioned in the description apply only to the upstream
cpio package and not the
cpio package as distributed by
How to fix? for
Centos:8 relevant fixed versions and status.
GNU cpio through 2.13 allows attackers to execute arbitrary code via a crafted pattern file, because of a dstring.c ds_fgetstr integer overflow that triggers an out-of-bounds heap write. NOTE: it is unclear whether there are common cases where the pattern file, associated with the -E option, is untrusted data.