CVE-2017-7516

It was found that the cpio –no-absolute-filenames option since version 2.7 did not verify paths during extraction. A specially crafted cpio archive could bypass this option and write to an arbitrary location, outside of the extraction directory.

Source: CVE-2017-7516