Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 2 Feb 2015 18:48:35 +0100
From: Vitezslav Cizek <vcizek@...e.cz>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request: cpio -- directory traversal

Hi,

* Dne Friday 16. January 2015, 03:44:25 [CET] Alexander Cherepanov napsal:
> Hi!
> 
> cpio is susceptible to a directory traversal vulnerability via symlinks.

Here's a patch we use in SUSE for some time.
It forbids to write over symlinks, similar to bsdtar.
It also adds a new option "--extract-over-symlinks" to restore the original
behaviour.

I sent it to Sergey Poznyakoff (upstream maintainer) in July,
but there was no response.

Here's a corresponding bug in SUSE bugzilla:
https://bugzilla.suse.com/show_bug.cgi?id=658010

> Initial report:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774669
> 
> Upstream report:
> https://lists.gnu.org/archive/html/bug-cpio/2015-01/msg00000.html
> 
> Some discussion:
> http://www.openwall.com/lists/oss-security/2015/01/07/5
> http://www.openwall.com/lists/oss-security/2015/01/08/4
> 
> Could CVE(s) please be assigned?
> 
> -- 
> Alexander Cherepanov

-- 
Vita Cizek

View attachment "cpio-check_for_symlinks.patch" of type "text/x-patch" (5057 bytes)

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ