Update information for CVE-2017-7516
This is likely to be the very same issue as CVE-2015-1197. The attack vector is the same as the result. Different approaches on how to fix (one as used in Debian and SuSE) and one on the cpio mailinglist. Asked MITRE if we should consider CVE-2017-7516 a duplicate of CVE-2015-1197. For the time beeing the patch applied in 2.11+dfsg-4.1 adresses the bypass of cpio --no-absolute-filenames as outlined in http://lists.gnu.org/archive/html/bug-cpio/2017-06/msg00001.html Broght the issue as well to the Red Hat bugzilla, since the CVE-2017-7516 is Red Hat assigned: https://bugzilla.redhat.com/show_bug.cgi?id=1539685#c6
Loading
Please register or sign in to comment