============================================================================ Ubuntu Security Notice USN-2906-1 February 22, 2016 cpio vulnerabilities ============================================================================ A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 15.10 - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS Summary: Several security issues were fixed in GNU cpio. Software Description: - cpio: a tool to manage archives of files Details: Alexander Cherepanov discovered that GNU cpio incorrectly handled symbolic links when used with the --no-absolute-filenames option. If a user or automated system were tricked into extracting a specially-crafted cpio archive, a remote attacker could possibly use this issue to write arbitrary files. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2015-1197) Gustavo Grieco discovered that GNU cpio incorrectly handled memory when extracting archive files. If a user or automated system were tricked into extracting a specially-crafted cpio archive, a remote attacker could use this issue to cause GNU cpio to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-2037) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 15.10: cpio 2.11+dfsg-4.1ubuntu1.1 Ubuntu 14.04 LTS: cpio 2.11+dfsg-1ubuntu1.2 Ubuntu 12.04 LTS: cpio 2.11-7ubuntu3.2 In general, a standard system update will make all the necessary changes. References: http://www.ubuntu.com/usn/usn-2906-1 CVE-2015-1197, CVE-2016-2037 Package Information: https://launchpad.net/ubuntu/+source/cpio/2.11+dfsg-4.1ubuntu1.1 https://launchpad.net/ubuntu/+source/cpio/2.11+dfsg-1ubuntu1.2 https://launchpad.net/ubuntu/+source/cpio/2.11-7ubuntu3.2