Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 16 Jan 2015 06:19:21 +0300
From: Alexander Cherepanov <ch3root@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: CVE Request: libarchive -- directory traversal in bsdcpio

Hi!

bsdcpio tool from libarchive bundle is susceptible to a directory 
traversal vulnerability via absolute paths.

Initial discussion:
http://www.openwall.com/lists/oss-security/2015/01/07/5

Upstream report:
https://groups.google.com/d/msg/libarchive-discuss/dN9y1VvE1Qk/Z9uerigjQn0J

My proposed (minimal) fix (non-Windows):
https://groups.google.com/group/libarchive-discuss/attach/a78932ecb50340ae/0001-Quick-n-dirty-fix-for-bsdcpio-directory-traversal-vu.patch?part=0.1

Discussion is ongoing.

Could CVE(s) please be assigned?

-- 
Alexander Cherepanov

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ