Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 5 Mar 2015 13:46:02 +0100
From: Alessandro Ghedini <alessandro@...dini.me>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Re: CVE Request: libarchive -- directory traversal in
 bsdcpio

On dom, feb 22, 2015 at 08:01:10 +0100, Moritz Muehlenhoff wrote:
> On Fri, Jan 16, 2015 at 06:19:21AM +0300, Alexander Cherepanov wrote:
> > Hi!
> > 
> > bsdcpio tool from libarchive bundle is susceptible to a directory traversal
> > vulnerability via absolute paths.
> > 
> > Initial discussion:
> > http://www.openwall.com/lists/oss-security/2015/01/07/5
> > 
> > Upstream report:
> > https://groups.google.com/d/msg/libarchive-discuss/dN9y1VvE1Qk/Z9uerigjQn0J
> > 
> > My proposed (minimal) fix (non-Windows):
> > https://groups.google.com/group/libarchive-discuss/attach/a78932ecb50340ae/0001-Quick-n-dirty-fix-for-bsdcpio-directory-traversal-vu.patch?part=0.1
> > 
> > Discussion is ongoing.
> > 
> > Could CVE(s) please be assigned?
> 
> This seems to have fallen through the cracks, explicitly adding cve-assign
> to CC.

FYI, the issue has now been fixed upstream [0] (only on POSIX platforms though,
not Windows).

Cheers

[0] https://github.com/libarchive/libarchive/commit/59357157706d47c365b2227739e17daba3607526

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ