Date: Sun, 18 Jan 2015 14:55:31 -0500 (EST) From: cve-assign@...re.org To: Thijs Kinkhorst <thijs@...ian.org> cc: oss-security@...ts.openwall.com, cve-assign@...re.org Subject: Re: CVE request: pigz, kgb, pax: directory traversal On Mon, 12 Jan 2015, Thijs Kinkhorst wrote: > Three additional cases of directory traversal in archiving utilities > have been reported to Debian. Please assign a CVE id to each. > > - pigz > Report: https://bugs.debian.org/774978 > Fix: > https://github.com/madler/pigz/commit/fdad1406b3ec809f4954ff7cdf9e99eb18c2458f Use CVE-2015-1191. > - kgb > Report: https://bugs.debian.org/774989 Use CVE-2015-1192. > - pax > Report: https://bugs.debian.org/774716 and > http://www.openwall.com/lists/oss-security/2015/01/07/5 Use CVE-2015-1193 for the .. path traversal (CWE-22). Use CVE-2015-1194 for the symlink following, which can allow access outside of the current directory. CVE distinguishes symlink following from path traversal as different vulnerability types. The fix for one issue is not necessarily guaranteed to fix the other. Also, since symlink following attacks can often be used against protected files within a directory that is already accessible to the attacker, it might cause confusion to use the "directory traversal" term to describe them. --- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ