Hello Yiğit, Sorry for the delay in responding to this issue. This issue was originally identified as CVE-2015-1197 and fixed around the same time frame. It was addressed in upstream cpio commit https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=45b0ee2b407913c533f7ded8d6f8cbeec16ff6ca in a differently taken approach when vendors fixed the issue in 2015. This differening behavior change resulted in the debian maintainer undoing the symlink mangling portion of the fix via https://salsa.debian.org/lamby/pkg- cpio/-/commit/1d1163018b2ca240a6a1c9404f7e05c3bfa62f94 and this is what has landed in focal and newer.
Relevant debian bug reports: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946267 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946469 upstream thread about the issue: https://lists.gnu.org/archive/html/bug-cpio/2019-11/msg00013.html Alas, at this time, it does not appear to have been addressed upstream. Thanks for the report. ** Bug watch added: Debian Bug tracker #946267 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946267 ** Bug watch added: Debian Bug tracker #946469 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946469 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2015-1197 ** Package changed: ubuntu => cpio (Ubuntu) ** Changed in: cpio (Ubuntu) Status: New => Confirmed ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1904615 Title: cpio symlink traversal To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cpio/+bug/1904615/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs