EulerOS 2.0 SP1 : cpio (EulerOS-SA-2016-1041)

Medium Nessus Plugin ID 99804


The remote EulerOS host is missing multiple security updates.


According to the versions of the cpio package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

- GNU cpio copies files into or out of a cpio or tar archive. Archives are files which contain a collection of other files plus information about them, such as their file name, owner, timestamps, and access permissions. The archive can be another file on the disk, a magnetic tape, or a pipe. GNU cpio supports the following archive formats: binary, old ASCII, new ASCII, crc, HPUX binary, HPUX old ASCII, old tar and POSIX.1 tar. By default, cpio creates binary format archives, so that they are compatible with older cpio programs. When it is extracting files from archives, cpio automatically recognizes which kind of archive it is reading and can read archives created on machines with a different byte-order.

- Security Fix(es)

- The cpio_safer_name_suffix function in util.c in cpio 2.11 allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted cpio file.(CVE-2016-2037)

- cpio 2.11, when using the --no-absolute-filenames option, allows local users to write to arbitrary files via a symlink attack on a file in an archive.(CVE-2015-1197)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.


Update the affected cpio packages.

See Also

Plugin Details

Severity: Medium

ID: 99804

File Name: EulerOS_SA-2016-1041.nasl

Version: $Revision: 1.3 $

Type: local

Published: 2017/05/02

Modified: 2017/05/04

Dependencies: 12634

Risk Information

Risk Factor: Medium


Base Score: 4.3

Temporal Score: 4.1

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P

Temporal Vector: CVSS2#E:F/RL:U/RC:ND


Base Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Vulnerability Information

CPE: p-cpe:/a:huawei:euleros:cpio, cpe:/o:huawei:euleros:2.0

Required KB Items: Host/local_checks_enabled, Host/EulerOS/release, Host/EulerOS/rpm-list, Host/EulerOS/sp

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2016/08/31

Reference Information

CVE: CVE-2015-1197, CVE-2016-2037

BID: 71914

OSVDB: 117211, 133523