diff -Nru /tmp/zisD1xpUEe/cpio-2.8/debian/changelog /tmp/UrQUpkLA3s/cpio-2.8/debian/changelog
--- /tmp/zisD1xpUEe/cpio-2.8/debian/changelog	2007-11-09 14:58:59.000000000 +0100
+++ /tmp/UrQUpkLA3s/cpio-2.8/debian/changelog	2007-11-09 14:59:00.000000000 +0100
@@ -1,3 +1,17 @@
+cpio (2.8-1ubuntu2.1) gutsy-security; urgency=low
+
+  * SECURITY UPDATE: Buffer overflow in the safer_name_suffix function in GNU tar has
+    unspecified attack vectors and impact, resulting in a "crashing stack."
+  * src/copyin.c: added patch from RedHat for 2.9 which applies as well to 2.9
+    to prevent this to happen (LP: #161173)
+    (http://cvs.fedora.redhat.com/viewcvs/rpms/cpio/F-8/cpio-2.9-safer_name_suffix.patch?rev=1.1&view=markup)
+  * References: 
+    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2007-4476
+    http://cvs.fedora.redhat.com/viewcvs/rpms/cpio/F-8/cpio-2.9-safer_name_suffix.patch?rev=1.1&view=markup
+    CVE-2007-4476
+
+ -- Stephan Hermann <sh@sourcecode.de>  Fri, 09 Nov 2007 14:43:55 +0100
+
 cpio (2.8-1ubuntu2) gutsy; urgency=low
 
   * src/copyin.c: Applied patch from Dave Gilbert inline to fix
diff -Nru /tmp/zisD1xpUEe/cpio-2.8/lib/paxnames.c /tmp/UrQUpkLA3s/cpio-2.8/lib/paxnames.c
--- /tmp/zisD1xpUEe/cpio-2.8/lib/paxnames.c	2005-05-22 00:55:55.000000000 +0200
+++ /tmp/UrQUpkLA3s/cpio-2.8/lib/paxnames.c	2007-11-09 14:59:00.000000000 +0100
@@ -36,15 +36,27 @@
   return strcmp (name1, name2) == 0;
 }
 
-/* Return zero if TABLE contains a copy of STRING; otherwise, insert a
-   copy of STRING to TABLE and return 1.  */
-bool
-hash_string_insert (Hash_table **table, char const *string)
+/* Return zero if TABLE contains a LEN-character long prefix of STRING,
+   otherwise, insert a newly allocated copy of this prefix to TABLE and
+   return 1.  If RETURN_PREFIX is not NULL, point it to the allocated
+   copy. */
+static bool
+hash_string_insert_prefix (Hash_table **table, char const *string, size_t len,
+			   const char **return_prefix)
 {
   Hash_table *t = *table;
-  char *s = xstrdup (string);
+  char *s;
   char *e;
 
+  if (len)
+    {
+      s = xmalloc (len + 1);
+      memcpy (s, string, len);
+      s[len] = 0;
+    }
+  else
+    s = xstrdup (string);
+  
   if (! ((t
 	  || (*table = t = hash_initialize (0, 0, hash_string_hasher,
 					    hash_string_compare, 0)))
@@ -52,7 +64,11 @@
     xalloc_die ();
 
   if (e == s)
-    return 1;
+    {
+      if (return_prefix)
+	*return_prefix = s;
+      return 1;
+    }
   else
     {
       free (s);
@@ -60,6 +76,14 @@
     }
 }
 
+/* Return zero if TABLE contains a copy of STRING; otherwise, insert a
+   copy of STRING to TABLE and return 1.  */
+bool
+hash_string_insert (Hash_table **table, char const *string)
+{
+  return hash_string_insert_prefix (table, string, 0, NULL);
+}
+
 /* Return 1 if TABLE contains STRING.  */
 bool
 hash_string_lookup (Hash_table const *table, char const *string)
@@ -88,7 +112,8 @@
    If ABSOLUTE_NAMES is 0, strip filesystem prefix from the file name. */
 
 char *
-safer_name_suffix (char const *file_name, bool link_target, bool absolute_names)
+safer_name_suffix (char const *file_name, bool link_target,
+		   bool absolute_names)
 {
   char const *p;
 
@@ -121,11 +146,9 @@
 
       if (prefix_len)
 	{
-	  char *prefix = alloca (prefix_len + 1);
-	  memcpy (prefix, file_name, prefix_len);
-	  prefix[prefix_len] = '\0';
-
-	  if (hash_string_insert (&prefix_table[link_target], prefix))
+	  const char *prefix;
+	  if (hash_string_insert_prefix (&prefix_table[link_target], file_name,
+					 prefix_len, &prefix))
 	    {
 	      static char const *const diagnostic[] =
 	      {