Hello gnu.org, I am investigating various CVE's against the CBL-Mariner distribution. NIST (and subsequently our tooling) suggests that this CVE is active against all versions of cpio: https://nvd.nist.gov/vuln/detail/CVE-2010-4226. The associated CVE description also suggests that this vulnerability only occurs by the way cpio is used, but does not list an exploit or provide any explanation suggesting what that might be.
I am curious as to what gnu.org's official position is on this CVE. Looking through the cpio changelog it does not appear to be addressed. Sincerely Jon Slobodzian
