oss-sec mailing list archives
Re: CVE Request: BusyBox tar directory traversal
From: cve-assign () mitre org
Date: Wed, 21 Oct 2015 17:47:36 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
http://git.busybox.net/busybox/commit/?id=a116552869db5e7793ae10968eb3c962c69b3d8c https://bugs.busybox.net/8411
an archive which contains: symlink/evil.py
Untarring it puts evil.py in '/tmp'
Use CVE-2011-5325.
I forgot to mention that I took a look at BusyBox's protections against directory traversal attacks while extracting files with absolute paths or dot dot ("..") components and it seems to sufficiently protect against those attacks.
OK, so there's no additional CVE ID. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJWKAcCAAoJEL54rhJi8gl5ea0QALBMmvSwaP4IGkA35YlKXba+ Hi/hFNBfegot9cz4+UhvahPo/dO9Tqlbb6xFeD5vqotdiXhuj/4AYnaARqvrgHO0 bvS+S4KZ5vBn1yL5cREGjMdYP8pELnSs4gZzcNTqjFqY1wTjyt8PLs6HkVMKutn7 EmUdyzFrbVO6y8Lnwf9q2XDUvI6Z7ZMdbTVQes2DdwJM+HnB7i2ijdJQfZYF8x59 wuOqbYCp7CAJ15cPNFrUHbre9j3N0HAAt9aMzp075pHEZHs+YQzyW31bfJPrLUAU tDFemKj8ydkSxSCComGPdXmyShtTdBiMlIufcpfkze9JJq4nv3cSyytXDtctH2kD O/SNSxQhFK3kjHWixcSMe1ezUaD+ReP27yRdp0yW9ifEgUV6uacv1OlJyg/5s0ou aH0iK6kSJgBc/pjzW+xTStTypjyiWjA3mBSGLsM1tYDCdrvfyScV65YmSYxxn1pH bR0K0oIiloH8Ed1UnwFEe4uMA4YXtpHavH1rTMhXWCnE6RjIvrfHwzU4JsUcXMZR dndrLI1X5RHgsIzypigrrMcR7mdqJzjbOgZbtpeqSQsWjsd/5EKYs3fDpDPBGP+S gg+8gk9t4u2rPV4uVbtYV7t22GjeYlxSVs4JIgGgIf1wxiyT0d6eBDJveRKcNPaF aKCQwEhg4PaApMN1HyuJ =Rm/b -----END PGP SIGNATURE-----
Current thread:
- CVE Request: BusyBox tar directory traversal Tyler Hicks (Oct 21)
- Re: CVE Request: BusyBox tar directory traversal Tyler Hicks (Oct 21)
- Re: CVE Request: BusyBox tar directory traversal cve-assign (Oct 21)
- Re: CVE Request: BusyBox tar directory traversal Robert Watson (Oct 22)
- Re: CVE Request: BusyBox tar directory traversal Tim Brown (Oct 22)
- Re: CVE Request: BusyBox tar directory traversal Robert Watson (Oct 23)
- Re: CVE Request: BusyBox tar directory traversal Yves-Alexis Perez (Oct 23)
- Re: CVE Request: BusyBox tar directory traversal Robert Watson (Oct 23)
- Re: CVE Request: BusyBox tar directory traversal Jeremy Stanley (Oct 23)
- Re: CVE Request: BusyBox tar directory traversal Jeremy Stanley (Oct 23)
- Re: CVE Request: BusyBox tar directory traversal Tim Brown (Oct 22)
- Re: CVE Request: BusyBox tar directory traversal Russ Allbery (Oct 23)