Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20150202174834.GA22419@ursa.suse.cz>
Date: Mon, 2 Feb 2015 18:48:35 +0100
From: Vitezslav Cizek <vcizek@...e.cz>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request: cpio -- directory traversal

Hi,

* Dne Friday 16. January 2015, 03:44:25 [CET] Alexander Cherepanov napsal:
> Hi!
> 
> cpio is susceptible to a directory traversal vulnerability via symlinks.

Here's a patch we use in SUSE for some time.
It forbids to write over symlinks, similar to bsdtar.
It also adds a new option "--extract-over-symlinks" to restore the original
behaviour.

I sent it to Sergey Poznyakoff (upstream maintainer) in July,
but there was no response.

Here's a corresponding bug in SUSE bugzilla:
https://bugzilla.suse.com/show_bug.cgi?id=658010

> Initial report:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774669
> 
> Upstream report:
> https://lists.gnu.org/archive/html/bug-cpio/2015-01/msg00000.html
> 
> Some discussion:
> http://www.openwall.com/lists/oss-security/2015/01/07/5
> http://www.openwall.com/lists/oss-security/2015/01/08/4
> 
> Could CVE(s) please be assigned?
> 
> -- 
> Alexander Cherepanov

-- 
Vita Cizek

View attachment "cpio-check_for_symlinks.patch" of type "text/x-patch" (5057 bytes)

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.