Date: Mon, 2 Feb 2015 18:48:35 +0100 From: Vitezslav Cizek <vcizek@...e.cz> To: oss-security@...ts.openwall.com Subject: Re: CVE Request: cpio -- directory traversal Hi, * Dne Friday 16. January 2015, 03:44:25 [CET] Alexander Cherepanov napsal: > Hi! > > cpio is susceptible to a directory traversal vulnerability via symlinks. Here's a patch we use in SUSE for some time. It forbids to write over symlinks, similar to bsdtar. It also adds a new option "--extract-over-symlinks" to restore the original behaviour. I sent it to Sergey Poznyakoff (upstream maintainer) in July, but there was no response. Here's a corresponding bug in SUSE bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=658010 > Initial report: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774669 > > Upstream report: > https://lists.gnu.org/archive/html/bug-cpio/2015-01/msg00000.html > > Some discussion: > http://www.openwall.com/lists/oss-security/2015/01/07/5 > http://www.openwall.com/lists/oss-security/2015/01/08/4 > > Could CVE(s) please be assigned? > > -- > Alexander Cherepanov -- Vita Cizek View attachment "cpio-check_for_symlinks.patch" of type "text/x-patch" (5057 bytes) Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ