oss-sec mailing list archives
Re: CVE request: pigz, kgb, pax: directory traversal
From: cve-assign () mitre org
Date: Sun, 18 Jan 2015 14:55:31 -0500 (EST)
On Mon, 12 Jan 2015, Thijs Kinkhorst wrote:
Three additional cases of directory traversal in archiving utilities have been reported to Debian. Please assign a CVE id to each.- pigz Report: https://bugs.debian.org/774978 Fix: https://github.com/madler/pigz/commit/fdad1406b3ec809f4954ff7cdf9e99eb18c2458f
Use CVE-2015-1191.
- kgb Report: https://bugs.debian.org/774989
Use CVE-2015-1192.
- pax Report: https://bugs.debian.org/774716 and http://www.openwall.com/lists/oss-security/2015/01/07/5
Use CVE-2015-1193 for the .. path traversal (CWE-22).Use CVE-2015-1194 for the symlink following, which can allow access outside of the current directory.
CVE distinguishes symlink following from path traversal as different vulnerability types. The fix for one issue is not necessarily guaranteed to fix the other. Also, since symlink following attacks can often be used against protected files within a directory that is already accessible to the attacker, it might cause confusion to use the "directory traversal" term to describe them.
--- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ]
Current thread:
- CVE request: pigz, kgb, pax: directory traversal Thijs Kinkhorst (Jan 12)
- Re: CVE request: pigz, kgb, pax: directory traversal cve-assign (Jan 18)