Date: Fri, 16 Jan 2015 07:31:25 +0300 From: Alexander Cherepanov <ch3root@...nwall.com> To: oss-security@...ts.openwall.com Subject: Re: CVE Request: cpio -- directory traversal On 2015-01-16 06:09, Lyndon Nerenberg wrote: > On Jan 15, 2015, at 6:44 PM, Alexander Cherepanov wrote: >> cpio is susceptible to a directory traversal vulnerability via symlinks. > > This is not a bug. It's doing exactly what you asked of it. Could you please elaborate? Citing my email to upstream: "--no-absolute-filenames option seems to be intended to limit extracting contents of an archive to be strictly inside a current directory (it guards against both absolute paths and relative paths with .. in them). However it can be bypassed with symlinks [extracted from the archive]." -- Alexander Cherepanov
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ