Date: Sun, 15 Mar 2015 14:11:39 -0400 (EDT) From: cve-assign@...re.org To: Moritz Mühlenhoff <jmm@...til.org> cc: oss-security@...ts.openwall.com, cve-assign@...re.org Subject: Re: CVE Request: libarchive -- directory traversal in bsdcpio On Thu, 5 Mar 2015, Moritz Mühlenhoff wrote: > On Sun, Feb 22, 2015 at 08:01:10PM +0100, Moritz Muehlenhoff wrote: >> On Fri, Jan 16, 2015 at 06:19:21AM +0300, Alexander Cherepanov wrote: >>> Hi! >>> >>> bsdcpio tool from libarchive bundle is susceptible to a directory traversal >>> vulnerability via absolute paths. >>> >>> Initial discussion: >>> http://www.openwall.com/lists/oss-security/2015/01/07/5 >>> >>> Upstream report: >>> https://groups.google.com/d/msg/libarchive-discuss/dN9y1VvE1Qk/Z9uerigjQn0J >>> >>> My proposed (minimal) fix (non-Windows): >>> https://groups.google.com/group/libarchive-discuss/attach/a78932ecb50340ae/0001-Quick-n-dirty-fix-for-bsdcpio-directory-traversal-vu.patch?part=0.1 >>> >>> Discussion is ongoing. >>> >>> Could CVE(s) please be assigned? >> >> This seems to have fallen through the cracks, explicitly adding cve-assign >> to CC. > > Now released as DSA 3180. Use CVE-2015-2304. --- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ