Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 16 Jan 2015 07:31:25 +0300
From: Alexander Cherepanov <ch3root@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request: cpio -- directory traversal

On 2015-01-16 06:09, Lyndon Nerenberg wrote:
> On Jan 15, 2015, at 6:44 PM, Alexander Cherepanov wrote:
>> cpio is susceptible to a directory traversal vulnerability via symlinks.
>
> This is not a bug.  It's doing exactly what you asked of it.

Could you please elaborate? Citing my email to upstream: 
"--no-absolute-filenames option seems to be intended to limit extracting 
contents of an archive to be strictly inside a current directory (it 
guards against both absolute paths and relative paths with .. in them). 
However it can be bypassed with symlinks [extracted from the archive]."

-- 
Alexander Cherepanov

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ