Date: Mon, 9 Mar 2015 10:03:33 +0100 From: Marcus Meissner <meissner@...e.de> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org Subject: Re: CVE Request: libarchive -- directory traversal in bsdcpio Hi, can someone else beside Mitre assign a CVE? Ciao, Marcus On Thu, Mar 05, 2015 at 10:00:01PM +0100, Moritz Mühlenhoff wrote: > On Sun, Feb 22, 2015 at 08:01:10PM +0100, Moritz Muehlenhoff wrote: > > On Fri, Jan 16, 2015 at 06:19:21AM +0300, Alexander Cherepanov wrote: > > > Hi! > > > > > > bsdcpio tool from libarchive bundle is susceptible to a directory traversal > > > vulnerability via absolute paths. > > > > > > Initial discussion: > > > http://www.openwall.com/lists/oss-security/2015/01/07/5 > > > > > > Upstream report: > > > https://groups.google.com/d/msg/libarchive-discuss/dN9y1VvE1Qk/Z9uerigjQn0J > > > > > > My proposed (minimal) fix (non-Windows): > > > https://groups.google.com/group/libarchive-discuss/attach/a78932ecb50340ae/0001-Quick-n-dirty-fix-for-bsdcpio-directory-traversal-vu.patch?part=0.1 > > > > > > Discussion is ongoing. > > > > > > Could CVE(s) please be assigned? > > > > This seems to have fallen through the cracks, explicitly adding cve-assign > > to CC. > > Now released as DSA 3180. > > Cheers, > Moritz >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ