Arch Linux 201501-5 Medium Severity: cpio Heap Overflow Advisory

Arch Linux Security Advisory ASA-201501-5
========================================
Severity: Medium
Date    : 2015-01-14
CVE-ID  : CVE-2014-9112
Package : cpio
Type    : heap buffer overflow
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE

Summary
======
The package cpio before version 2.11-5 is vulnerable to a heap buffer
overflow.

Resolution
=========
Upgrade to 2.11-5.

# pacman -Syu "cpio>=2.11-5"

The problem has been fixed upstream but no release is available yet.

Workaround
=========
None.

Description
==========
A heap-based buffer overflow flaw was reported in cpio's list_file()
function. Attempting to extract a malicious cpio archive could cause
cpio to crash or, potentially, execute arbitrary code.
As noted in the original report, this issue could be trigger via other
utilities, such as when running "less".

Impact
=====
An attacker is able to craft a malicious cpio archive which could cause
cpio to crash or, potentially, execute arbitrary code. This issue could
also be trigger via other utilities, such as when running "less".

References
=========
https://seclists.org/oss-sec/2014/q4/818

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9112