oss-sec mailing list archives
Re: CVE Request: libarchive -- directory traversal in bsdcpio
From: Alessandro Ghedini <alessandro () ghedini me>
Date: Thu, 5 Mar 2015 13:46:02 +0100
On dom, feb 22, 2015 at 08:01:10 +0100, Moritz Muehlenhoff wrote:
On Fri, Jan 16, 2015 at 06:19:21AM +0300, Alexander Cherepanov wrote:Hi! bsdcpio tool from libarchive bundle is susceptible to a directory traversal vulnerability via absolute paths. Initial discussion: http://www.openwall.com/lists/oss-security/2015/01/07/5 Upstream report: https://groups.google.com/d/msg/libarchive-discuss/dN9y1VvE1Qk/Z9uerigjQn0J My proposed (minimal) fix (non-Windows): https://groups.google.com/group/libarchive-discuss/attach/a78932ecb50340ae/0001-Quick-n-dirty-fix-for-bsdcpio-directory-traversal-vu.patch?part=0.1 Discussion is ongoing. Could CVE(s) please be assigned?This seems to have fallen through the cracks, explicitly adding cve-assign to CC.
FYI, the issue has now been fixed upstream [0] (only on POSIX platforms though, not Windows). Cheers [0] https://github.com/libarchive/libarchive/commit/59357157706d47c365b2227739e17daba3607526
Attachment:
signature.asc
Description: Digital signature
Current thread:
- CVE Request: libarchive -- directory traversal in bsdcpio Alexander Cherepanov (Jan 15)
- Re: CVE Request: libarchive -- directory traversal in bsdcpio Moritz Muehlenhoff (Feb 22)
- Re: CVE Request: libarchive -- directory traversal in bsdcpio Alessandro Ghedini (Mar 05)
- Re: CVE Request: libarchive -- directory traversal in bsdcpio Moritz Mühlenhoff (Mar 05)
- Re: CVE Request: libarchive -- directory traversal in bsdcpio Marcus Meissner (Mar 09)
- Re: CVE Request: libarchive -- directory traversal in bsdcpio cve-assign (Mar 15)
- Re: CVE Request: libarchive -- directory traversal in bsdcpio Moritz Muehlenhoff (Feb 22)