function allows remote attackers to cause a denial of service via
a large block value in a cpio archive.
Fix from a series of upstream commits by Sergey Poznyakoff, via Debian.
CVE-2015-1197: cpio, when using the --no-absolute-filenames option,
allows local users to write to arbitrary files via a symlink attack
on a file in an archive.
Fix from Vitezslav Cizek after 3.5 years of gestation in the SUSE
bug tracker, via Debian.
Also apply an upstream fix for some regression tests while here.
Heap-based buffer overflow allows remote rmt servers to cause a
denial of service (memory corruption) or possibly execute arbitrary
code by sending more data than was requested.
with jasper@
* Option --owner can be used in copy-out mode, allowing to uniformly
override ownership of the files being added to the archive.
* Symlinks were handled incorrectly in copy-out mode.
* Fix handling of large files.
* Fix setting the file permissions in copy-out mode.
* Honor umask when creating intermediate directories, not specified
in the archive.
* Improved error checking and diagnostics
* Fixed CAN-1999-1572
* Allow to use --sparse in both copy-in and copy-pass.
* Fix bug that eventually caused copying out the same hard-linked file
several times to archive.
From: Rui Reis
cpio used a 0 umask when creating files using the -O (archive) or
-F options, which created the files with mode 0666 and allowed local
users to read or overwrite those files. (CAN-1999-1572)
