cpio is a file archival tool which can also read and write tar files.
Multiple vulnerabilities have been discovered in cpio. Please review the CVE identifiers referenced below for details.
GNU cpio allows attackers to execute arbitrary code via a crafted pattern file, because of a dstring.c ds_fgetstr integer overflow that triggers an out-of-bounds heap write. NOTE: it is unclear whether there are common cases where the pattern file, associated with the -E option, is untrusted data.
There is no known workaround at this time.
All cpio users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-arch/cpio-2.13-r1"