Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 15 Mar 2015 14:11:39 -0400 (EDT)
From: cve-assign@...re.org
To: Moritz Mühlenhoff <jmm@...til.org>
cc: oss-security@...ts.openwall.com, cve-assign@...re.org
Subject: Re: CVE Request: libarchive -- directory traversal
 in bsdcpio


On Thu, 5 Mar 2015, Moritz Mühlenhoff wrote:

> On Sun, Feb 22, 2015 at 08:01:10PM +0100, Moritz Muehlenhoff wrote:
>> On Fri, Jan 16, 2015 at 06:19:21AM +0300, Alexander Cherepanov wrote:
>>> Hi!
>>>
>>> bsdcpio tool from libarchive bundle is susceptible to a directory traversal
>>> vulnerability via absolute paths.
>>>
>>> Initial discussion:
>>> http://www.openwall.com/lists/oss-security/2015/01/07/5
>>>
>>> Upstream report:
>>> https://groups.google.com/d/msg/libarchive-discuss/dN9y1VvE1Qk/Z9uerigjQn0J
>>>
>>> My proposed (minimal) fix (non-Windows):
>>> https://groups.google.com/group/libarchive-discuss/attach/a78932ecb50340ae/0001-Quick-n-dirty-fix-for-bsdcpio-directory-traversal-vu.patch?part=0.1
>>>
>>> Discussion is ongoing.
>>>
>>> Could CVE(s) please be assigned?
>>
>> This seems to have fallen through the cracks, explicitly adding cve-assign
>> to CC.
>
> Now released as DSA 3180.

Use CVE-2015-2304.

---

CVE assignment team, MITRE CVE Numbering Authority M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ