Ubuntu Security Notice 2906-1 - Alexander Cherepanov discovered that GNU cpio incorrectly handled symbolic links when used with the --no-absolute-filenames option. If a user or automated system were tricked into extracting a specially-crafted cpio archive, a remote attacker could possibly use this issue to write arbitrary files. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. Gustavo Grieco discovered that GNU cpio incorrectly handled memory when extracting archive files. If a user or automated system were tricked into extracting a specially-crafted cpio archive, a remote attacker could use this issue to cause GNU cpio to crash, resulting in a denial of service, or possibly execute arbitrary code. Various other issues were also addressed.
d325f862f7fc8ef80e24f8d0efdc54ce587cd101af92a075a5d4fe50d647846f
Debian Linux Security Advisory 3483-1 - Gustavo Grieco discovered an out-of-bounds write vulnerability in cpio, a tool for creating and extracting cpio archive files, leading to a denial of service (application crash).
982b4436bbc04685bb4ec3b4e6989b7d0ec39eca9cd6ba847333f9b2f46a73ea