Bug#774716: marked as done (paxtar: directory traversal vulnerabilities (CVE-2015-1193 CVE-2015-1194))
Your message dated Tue, 08 Mar 2016 12:20:47 +0000
with message-id <E1adGd5-0000zQ-9O@franck.debian.org>
and subject line Bug#774716: fixed in pax 1:20160306-1
has caused the Debian Bug report #774716,
regarding paxtar: directory traversal vulnerabilities (CVE-2015-1193 CVE-2015-1194)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
774716: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774716
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: paxtar: directory traversal vulnerabilities
- From: Alexander Cherepanov <cherepan@mccme.ru>
- Date: Tue, 06 Jan 2015 21:42:04 +0300
- Message-id: <54AC2C7C.1020005@mccme.ru>
Package: pax
Version: 1:20140703-2
Tags: security
paxtar is susceptible to directory traversal vulnerabilities. They can
be exploited by a rogue archive to write files outside the current
directory.
1. paxtar will extract files with .. components in names.
For example, let's create a sample archive:
echo hello > ../file
paxtar cvf test.tar ../file
rm ../file
and then test it:
paxtar xvf test.tar
This will create a file "../file".
2. While extracting an archive, it will extract symlinks and then follow
them if they are referenced in further entries.
For example, let's create a sample archive:
ln -s /tmp dir
paxtar cvf test.tar dir
rm dir
mkdir dir
echo hello > dir/file
paxtar rvf test.tar dir/file
rm -r dir
and then test it:
paxtar xvf test.tar
This will create a symlink "dir" in the current directory and a file
"/tmp/file".
--
Alexander Cherepanov
--- End Message ---
--- Begin Message ---
- To: 774716-close@bugs.debian.org
- Subject: Bug#774716: fixed in pax 1:20160306-1
- From: Thorsten Glaser <tg@mirbsd.de>
- Date: Tue, 08 Mar 2016 12:20:47 +0000
- Message-id: <E1adGd5-0000zQ-9O@franck.debian.org>
Source: pax
Source-Version: 1:20160306-1
We believe that the bug you reported is fixed in the latest version of
pax, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 774716@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thorsten Glaser <tg@mirbsd.de> (supplier of updated pax package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 06 Mar 2016 22:08:00 +0100
Source: pax
Binary: pax
Architecture: source amd64
Version: 1:20160306-1
Distribution: unstable
Urgency: high
Maintainer: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
Changed-By: Thorsten Glaser <tg@mirbsd.de>
Description:
pax - Portable Archive Interchange (cpio, pax, tar)
Closes: 764402 774716
Changes:
pax (1:20160306-1) unstable; urgency=high
.
* New upstream version
- addresses CVE-2015-1193 and CVE-2015-1194 (Closes: #774716)
* Retake active maintainership with sponsors (Closes: #764402)
* Update tables.c from CVS incorporating lintian spelling fixes
* Bump S-V (no changes); add Homepage; SSL URIs for VCS (lintian)
Checksums-Sha1:
7deb71c2489a9007f2dcd9bda0132e9b844d0dc8 1791 pax_20160306-1.dsc
8bc9041cc85b510abfb1412dbc4e11bb95869501 111100 pax_20160306.orig.tar.xz
8feddf8fd9e1ea1c96b57ef6984c1a5bc446243f 6996 pax_20160306-1.debian.tar.xz
342e0620d7239188cbc12981450cd397d162db0c 113664 pax-dbgsym_20160306-1_amd64.deb
ed44687c5c78663a69fab1ed0222660006163c4b 81928 pax_20160306-1_amd64.deb
Checksums-Sha256:
f9ac72b7ffa1cfdbb50ade5856f1ce734f9648533aafc57d2c4f867a0e69e4ef 1791 pax_20160306-1.dsc
63366bd2b070653e3ae0a4d236136349997d90c85effc09311e09cd376369f7a 111100 pax_20160306.orig.tar.xz
9c65a90867531e50760cc1725cad9508ca4b7376f3258f9d9614eb61ef422856 6996 pax_20160306-1.debian.tar.xz
1d8dc1df570798e353c4f297125c35b79cb9f8367be984ed3b710882f00a9d43 113664 pax-dbgsym_20160306-1_amd64.deb
2f67bf927f5ea1cc5997315499c6228e2da5e473502b45a7b4b7681e23265d75 81928 pax_20160306-1_amd64.deb
Files:
a85de8df23e8e15318b8a0939606c57c 1791 utils optional pax_20160306-1.dsc
2a41414abcaaa78495b8a9bb0b857c91 111100 utils optional pax_20160306.orig.tar.xz
ec65e8777d6f138cbfab2d2e782de617 6996 utils optional pax_20160306-1.debian.tar.xz
f66f7c2b4cbb9f31ab639213eb4dfcd3 113664 debug extra pax-dbgsym_20160306-1_amd64.deb
2bce29059e1ea2b9f1eb7f883b2cc73c 81928 utils optional pax_20160306-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJW3rv6AAoJEHQmOzf1tfkTtOcP/iDb5L4+kEf9x9ogxpk2VfS7
Z+2FlS9t9H805gecNHYuq+usOMvRFdTD3IVs+rpIHjWN7wHNNLrZ9J0se6/osWZJ
4+v45nkXGnngsWZkz3qgYJKwa6lP8Kq5+UCL4L6E5hlNbCDw9z17PJE4kfzWO2ZI
04Rp8kFxhvtrXwCA3vbhKTjdCSFOaRNmr+np6SGB/yhtZqYK+sKe/05VRr9KJZzO
tu+zLr9PhJUEAaSdMtOoNoyhfsR+8SW8QLre6Q1OWhAPZqtQAFS923ScQXG6cfPh
ZH3L5y4hXR3Q/k2ndH9kMzBCoh7OJFrxCsrXHV4DZjwVoLfWzDTr0LrfvY5Fo6pB
POSh08QiMbU96UkcZ4Hp3fsR9fkurW6u6NOWAh5Bxhgc0f6G5dlqb9gH+OzX3tVm
xi9F1fjlPXMn/jAD7YAQdRM7wjNCUCShRY45CuWTwKLJhjsatACCa2kbng737da4
t/r2/4vOqO6iM2VLEzetkF0xYHKoTepHbAUvc9//vgyTNxF8dFSy3E2BuMtbLAcJ
5G2YMe55XMPGPCLUmTHvZqWPus3EFFuT6Xjl/xrXlp35TzYreRfNhLBmu8Ts/ijj
dY1Aef1LIxfWQL+PBpRNEg82alvlKEmN4GYEHN92DRc7ScSZElwhW8C4iBPoKjXC
ODSk8kuzjtShEjVka/ta
=hU/e
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: