diff -Nru cpio-2.11/debian/changelog cpio-2.11/debian/changelog
--- cpio-2.11/debian/changelog	2015-01-07 19:36:45.000000000 +0000
+++ cpio-2.11/debian/changelog	2016-02-18 15:53:55.000000000 +0000
@@ -1,3 +1,18 @@
+cpio (2.11-7ubuntu3.2) precise-security; urgency=medium
+
+  * SECURITY UPDATE: file overwrite via symlink attack
+    - debian/patches/CVE-2015-1197.patch: don't write files over symlinks
+      unless --extract-over-symlinks is used in doc/cpio.1, src/copyin.c,
+      src/extern.h, src/global.c, src/main.c.
+    - CVE-2015-1197
+  * SECURITY UPDATE: out-of-bounds write
+    - debian/patches/CVE-2016-2037.patch: make sure there is at least two
+      bytes available in src/copyin.c, added comment to src/util.c.
+    - CVE-2016-2037
+  * debian/patches/fix-symlink-test.patch: fix date-sensitive test.
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 18 Feb 2016 09:19:26 -0500
+
 cpio (2.11-7ubuntu3.1) precise-security; urgency=medium
 
   * SECURITY UPDATE: out of bounds write and other range issues
diff -Nru cpio-2.11/debian/patches/CVE-2015-1197.patch cpio-2.11/debian/patches/CVE-2015-1197.patch
--- cpio-2.11/debian/patches/CVE-2015-1197.patch	1970-01-01 00:00:00.000000000 +0000
+++ cpio-2.11/debian/patches/CVE-2015-1197.patch	2016-02-18 14:19:13.000000000 +0000
@@ -0,0 +1,150 @@
+Description: CVE-2015-1197
+ Apply patch by Vitezslav Cizek of SuSE to fix CVE-2015-1197.
+ Upstream is dormant or no longer existing. To restore the old
+ behaviour use --extract-over-symlinks (Closes: #774669)
+ This issue has been discovered by Alexander Cherepanov.
+Author: Vitezslav Cizek <vcizek@suse.cz>
+Bug-Debian: https://bugs.debian.org/774669
+
+--- cpio-2.11+dfsg.orig/doc/cpio.1
++++ cpio-2.11+dfsg/doc/cpio.1
+@@ -22,6 +22,7 @@ cpio \- copy files to and from archives
+ [\-\-owner=[user][:.][group]] [\-\-no-preserve-owner] [\-\-message=message]
+ [\-\-force\-local] [\-\-no\-absolute\-filenames] [\-\-sparse]
+ [\-\-only\-verify\-crc] [\-\-to\-stdout] [\-\-quiet] [\-\-rsh-command=command]
++[\-\-extract\-over\-symlinks]
+ [\-\-help] [\-\-version] [pattern...] [< archive]
+ 
+ .B cpio
+--- cpio-2.11+dfsg.orig/src/copyin.c
++++ cpio-2.11+dfsg/src/copyin.c
+@@ -700,6 +700,51 @@ copyin_link (struct cpio_file_stat *file
+   free (link_name);
+ }
+ 
++
++static int
++path_contains_symlink(char *path)
++{
++  struct stat st;
++  char *slash;
++  char *nextslash;
++
++  /* we got NULL pointer or empty string */
++  if (!path || !*path) {
++    return false;
++  }
++
++  slash = path;
++
++  while ((nextslash = strchr(slash + 1, '/')) != NULL) {
++    slash = nextslash;
++    *slash = '\0';
++
++    if (lstat(path, &st) != 0) {
++      if (errno == ELOOP) {
++        /* ELOOP - too many symlinks */
++        *slash = '/';
++        return true;
++      } else if (errno == ENOMEM) {
++        /* No memory for lstat - terminate */
++        xalloc_die();
++      } else {
++        /* cannot lstat path - give up */
++        *slash = '/';
++        return false;
++      }
++    }
++
++    if (S_ISLNK(st.st_mode)) {
++      *slash = '/';
++      return true;
++    }
++
++    *slash = '/';
++  }
++
++  return false;
++}
++
+ static void
+ copyin_file (struct cpio_file_stat *file_hdr, int in_file_des)
+ {
+@@ -1471,6 +1516,23 @@ process_copy_in ()
+ 	{
+ 	  /* Copy the input file into the directory structure.  */
+ 
++          /* Can we write files over symlinks? */
++          if (!extract_over_symlinks)
++            {
++              if (path_contains_symlink(file_hdr.c_name))
++                {
++                  /* skip the file */
++                  /*
++                  fprintf(stderr, "Can't write over symlinks. Skipping %s\n", file_hdr.c_name);
++                  tape_toss_input (in_file_des, file_hdr.c_filesize);
++                  tape_skip_padding (in_file_des, file_hdr.c_filesize);
++                  continue;
++                  */
++                  /* terminate */
++	          error (1, 0, _("Can't write over symlinks: %s\n"), file_hdr.c_name);
++                }
++            }
++
+ 	  /* Do we need to rename the file? */
+ 	  if (rename_flag || rename_batch_file)
+ 	    {
+--- cpio-2.11+dfsg.orig/src/extern.h
++++ cpio-2.11+dfsg/src/extern.h
+@@ -95,6 +95,7 @@ extern char input_is_special;
+ extern char output_is_special;
+ extern char input_is_seekable;
+ extern char output_is_seekable;
++extern bool extract_over_symlinks;
+ extern int (*xstat) ();
+ extern void (*copy_function) ();
+ 
+--- cpio-2.11+dfsg.orig/src/global.c
++++ cpio-2.11+dfsg/src/global.c
+@@ -187,6 +187,9 @@ bool to_stdout_option = false;
+ /* The name this program was run with.  */
+ char *program_name;
+ 
++/* Extract files over symbolic links */
++bool extract_over_symlinks;
++
+ /* A pointer to either lstat or stat, depending on whether
+    dereferencing of symlinks is done for input files.  */
+ int (*xstat) ();
+--- cpio-2.11+dfsg.orig/src/main.c
++++ cpio-2.11+dfsg/src/main.c
+@@ -57,7 +57,8 @@ enum cpio_options {
+   FORCE_LOCAL_OPTION,            
+   DEBUG_OPTION,                  
+   BLOCK_SIZE_OPTION,             
+-  TO_STDOUT_OPTION
++  TO_STDOUT_OPTION,
++  EXTRACT_OVER_SYMLINKS
+ };
+ 
+ const char *program_authors[] =
+@@ -222,6 +223,8 @@ static struct argp_option options[] = {
+    N_("Create leading directories where needed"), GRID+1 },
+   {"no-preserve-owner", NO_PRESERVE_OWNER_OPTION, 0, 0,
+    N_("Do not change the ownership of the files"), GRID+1 },
++  {"extract-over-symlinks", EXTRACT_OVER_SYMLINKS, 0, 0,
++   N_("Force writing over symbolic links"), GRID+1 },
+   {"unconditional", 'u', NULL, 0,
+    N_("Replace all files unconditionally"), GRID+1 },
+   {"sparse", SPARSE_OPTION, NULL, 0,
+@@ -412,6 +415,10 @@ crc newc odc bin ustar tar (all-caps als
+       no_chown_flag = true;
+       break;
+ 
++    case EXTRACT_OVER_SYMLINKS:		        /* --extract-over-symlinks */
++      extract_over_symlinks = true;
++      break;
++
+     case 'o':		/* Copy-out mode.  */
+       if (copy_function != 0)
+ 	error (PAXEXIT_FAILURE, 0, _("Mode already defined"));
diff -Nru cpio-2.11/debian/patches/CVE-2016-2037.patch cpio-2.11/debian/patches/CVE-2016-2037.patch
--- cpio-2.11/debian/patches/CVE-2016-2037.patch	1970-01-01 00:00:00.000000000 +0000
+++ cpio-2.11/debian/patches/CVE-2016-2037.patch	2016-02-18 14:19:17.000000000 +0000
@@ -0,0 +1,48 @@
+Description: fix 1-byte out-of-bounds write (CVE-2016-2037)
+ Other calls to cpio_safer_name_suffix seem to be safe.
+ .
+ * src/copyin.c (process_copy_in):  Make sure that file_hdr.c_name
+ has at least two bytes allocated.
+ * src/util.c (cpio_safer_name_suffix): Document that use of this
+ function requires to be careful.
+Origin: upstream, https://lists.gnu.org/archive/html/bug-cpio/2016-01/msg00005.html
+Bug-Debian: https://bugs.debian.org/812401
+Forwarded: not-needed
+Author: Pavel Raiskup <praiskup@redhat.com>
+Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2016-02-12
+
+---
+ src/copyin.c | 2 ++
+ src/util.c   | 5 ++++-
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+Index: cpio-2.11+dfsg/src/copyin.c
+===================================================================
+--- cpio-2.11+dfsg.orig/src/copyin.c
++++ cpio-2.11+dfsg/src/copyin.c
+@@ -1433,6 +1433,8 @@ process_copy_in ()
+ 	  break;
+ 	}
+ 
++      if (file_hdr.c_namesize <= 1)
++        file_hdr.c_name = xrealloc(file_hdr.c_name, 2);
+       cpio_safer_name_suffix (file_hdr.c_name, false, !no_abs_paths_flag,
+ 			      false);
+       
+Index: cpio-2.11+dfsg/src/util.c
+===================================================================
+--- cpio-2.11+dfsg.orig/src/util.c
++++ cpio-2.11+dfsg/src/util.c
+@@ -1374,7 +1374,10 @@ set_file_times (int fd,
+ }
+ 
+ /* Do we have to ignore absolute paths, and if so, does the filename
+-   have an absolute path?  */
++   have an absolute path?
++   Before calling this function make sure that the allocated NAME buffer has
++   capacity at least 2 bytes to allow us to store the "." string inside.  */
++
+ void
+ cpio_safer_name_suffix (char *name, bool link_target, bool absolute_names,
+ 			bool strip_leading_dots)
diff -Nru cpio-2.11/debian/patches/fix-symlink-test.patch cpio-2.11/debian/patches/fix-symlink-test.patch
--- cpio-2.11/debian/patches/fix-symlink-test.patch	1970-01-01 00:00:00.000000000 +0000
+++ cpio-2.11/debian/patches/fix-symlink-test.patch	2016-02-18 15:53:37.000000000 +0000
@@ -0,0 +1,29 @@
+Description: fix date-sensitive test
+Author: Marc Deslauriers <marc.deslauriers@canonical.com>
+
+Index: cpio-2.11+dfsg/tests/symlink-bad-length.at
+===================================================================
+--- cpio-2.11+dfsg.orig/tests/symlink-bad-length.at	2016-02-18 10:36:51.066541370 -0500
++++ cpio-2.11+dfsg/tests/symlink-bad-length.at	2016-02-18 10:36:51.066541370 -0500
+@@ -57,7 +57,7 @@
+ echo >&2 STDERR
+ ],
+ [0],
+-[-rw-rw-r--   1 10029    10031          13 Nov 25 11:52 FILE
++[-rw-rw-r--   1 10029    10031          13 Nov 25  2014 FILE
+ ],[STDERR
+ ])
+ 
+Index: cpio-2.11+dfsg/tests/testsuite
+===================================================================
+--- cpio-2.11+dfsg.orig/tests/testsuite	2016-02-18 10:36:51.030541004 -0500
++++ cpio-2.11+dfsg/tests/testsuite	2016-02-18 10:37:18.338816966 -0500
+@@ -2172,7 +2172,7 @@
+ echo >>"$at_stderr"; $as_echo "STDERR
+ " | \
+   $at_diff - "$at_stderr" || at_failed=:
+-echo >>"$at_stdout"; $as_echo "-rw-rw-r--   1 10029    10031          13 Nov 25 11:52 FILE
++echo >>"$at_stdout"; $as_echo "-rw-rw-r--   1 10029    10031          13 Nov 25  2014 FILE
+ " | \
+   $at_diff - "$at_stdout" || at_failed=:
+ at_fn_check_status 0 $at_status "$at_srcdir/symlink-bad-length.at:46"
diff -Nru cpio-2.11/debian/patches/series cpio-2.11/debian/patches/series
--- cpio-2.11/debian/patches/series	2015-01-07 19:35:20.000000000 +0000
+++ cpio-2.11/debian/patches/series	2016-02-18 15:53:37.000000000 +0000
@@ -8,3 +8,6 @@
 627444-cross-compiling.patch
 cpio-CVE-2014-9112.patch
 cpio-CVE-2014-9112-testsuite.patch
+CVE-2015-1197.patch
+CVE-2016-2037.patch
+fix-symlink-test.patch