Debian Bug report logs -
#778753
cabextract: CVE-2015-2060: Directory traversal
Reported by: Moritz Muehlenhoff <jmm@inutil.org>
Date: Thu, 19 Feb 2015 10:45:01 UTC
Severity: important
Tags: fixed-upstream, security, upstream
Found in version cabextract/1.4-3
Fixed in version cabextract/1.6-1
Done: Eric Sharkey <sharkey@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Eric Sharkey <sharkey@debian.org>:
Bug#778753; Package cabextract.
(Thu, 19 Feb 2015 10:45:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Eric Sharkey <sharkey@debian.org>.
(Thu, 19 Feb 2015 10:45:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: cabextract
Severity: important
Tags: security
Justification: user security hole
Please see http://www.openwall.com/lists/oss-security/2015/02/18/3 for
the CVE request.
Upstream fix is here:
http://sourceforge.net/p/libmspack/code/217
Since unstable has a more recent version than testing, could you make
a targeted jessie upload with this patch?
Cheers,
Moritz
Added tag(s) upstream and fixed-upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 19 Feb 2015 11:27:04 GMT) (full text, mbox, link).
Marked as found in versions cabextract/1.4-3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 19 Feb 2015 11:39:10 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Eric Sharkey <sharkey@debian.org>:
Bug#778753; Package cabextract.
(Fri, 20 Feb 2015 02:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Eric Sharkey <eric@lisaneric.org>:
Extra info received and forwarded to list. Copy sent to Eric Sharkey <sharkey@debian.org>.
(Fri, 20 Feb 2015 02:39:04 GMT) (full text, mbox, link).
Message #14 received at 778753@bugs.debian.org (full text, mbox, reply):
I'm looking at upstream's patch now. It's not going to apply cleanly
to 1.4 and there's some stuff in there that looks a little off to me.
I'll follow up with Stuart.
Eric
Information forwarded
to debian-bugs-dist@lists.debian.org, Eric Sharkey <sharkey@debian.org>:
Bug#778753; Package cabextract.
(Sat, 21 Feb 2015 02:27:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Eric Sharkey <eric@lisaneric.org>:
Extra info received and forwarded to list. Copy sent to Eric Sharkey <sharkey@debian.org>.
(Sat, 21 Feb 2015 02:27:05 GMT) (full text, mbox, link).
Message #19 received at submit@bugs.debian.org (full text, mbox, reply):
On Thu, Feb 19, 2015 at 5:38 AM, Moritz Muehlenhoff <jmm@inutil.org> wrote:
> Upstream fix is here:
> http://sourceforge.net/p/libmspack/code/217
>
> Since unstable has a more recent version than testing, could you make
> a targeted jessie upload with this patch?
I've written a new patch from scratch to fix cabextract 1.4 and
uploaded this to jessie-security as 1.4-6.
Please let me know if there are any issues. I don't think I've had to
do a security upload in the last 10 years or so, so I'm a bit out of
practice.
I don't have a new build for sid yet. Maybe tomorrow.
Eric
Information forwarded
to debian-bugs-dist@lists.debian.org, Eric Sharkey <sharkey@debian.org>:
Bug#778753; Package cabextract.
(Sat, 21 Feb 2015 02:27:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Eric Sharkey <eric@lisaneric.org>:
Extra info received and forwarded to list. Copy sent to Eric Sharkey <sharkey@debian.org>.
(Sat, 21 Feb 2015 02:27:08 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Eric Sharkey <sharkey@debian.org>:
Bug#778753; Package cabextract.
(Sat, 21 Feb 2015 08:39:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Eric Sharkey <sharkey@debian.org>.
(Sat, 21 Feb 2015 08:39:05 GMT) (full text, mbox, link).
Message #29 received at 778753@bugs.debian.org (full text, mbox, reply):
Hi Eric,
On Fri, Feb 20, 2015 at 09:25:56PM -0500, Eric Sharkey wrote:
> On Thu, Feb 19, 2015 at 5:38 AM, Moritz Muehlenhoff <jmm@inutil.org> wrote:
> > Upstream fix is here:
> > http://sourceforge.net/p/libmspack/code/217
> >
> > Since unstable has a more recent version than testing, could you make
> > a targeted jessie upload with this patch?
>
> I've written a new patch from scratch to fix cabextract 1.4 and
> uploaded this to jessie-security as 1.4-6.
>
> Please let me know if there are any issues. I don't think I've had to
> do a security upload in the last 10 years or so, so I'm a bit out of
> practice.
There is no jessie-security yet, could you please coordinate with the
release team for a targeted fix via jessie proposed-updates:
https://www.debian.org/doc/manuals/developers-reference/pkgs.html#upload-stable
?
Btw, please do not upload to security-master without prior
coordination with the security-team, see
https://www.debian.org/doc/manuals/developers-reference/pkgs.html#s5.6.4
Hope the two references above helps,
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Eric Sharkey <sharkey@debian.org>:
Bug#778753; Package cabextract.
(Sat, 21 Feb 2015 13:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Eric Sharkey <eric@lisaneric.org>:
Extra info received and forwarded to list. Copy sent to Eric Sharkey <sharkey@debian.org>.
(Sat, 21 Feb 2015 13:15:04 GMT) (full text, mbox, link).
Message #34 received at 778753@bugs.debian.org (full text, mbox, reply):
On Sat, Feb 21, 2015 at 3:35 AM, Salvatore Bonaccorso <carnil@debian.org> wrote:
> Btw, please do not upload to security-master without prior
> coordination with the security-team, see
> https://www.debian.org/doc/manuals/developers-reference/pkgs.html#s5.6.4
I'm familiar with the developers' reference. Since this bug report
was filed by a security team member (Moritz) and tagged as a security
bug, I was under the impression that authorization from the security
team had been granted already. If there's more to the procedure than
that, I don't think the reference makes that clear.
Eric
Changed Bug title to 'cabextract: CVE-2015-2060: Directory traversal' from 'cabextract: Directory traversal (CVE pending)'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 23 Feb 2015 21:57:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Eric Sharkey <sharkey@debian.org>:
Bug#778753; Package cabextract.
(Thu, 05 Mar 2015 21:09:13 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Eric Sharkey <sharkey@debian.org>.
(Thu, 05 Mar 2015 21:09:13 GMT) (full text, mbox, link).
Message #41 received at 778753@bugs.debian.org (full text, mbox, reply):
On Sat, Feb 21, 2015 at 08:10:11AM -0500, Eric Sharkey wrote:
> On Sat, Feb 21, 2015 at 3:35 AM, Salvatore Bonaccorso <carnil@debian.org> wrote:
> > Btw, please do not upload to security-master without prior
> > coordination with the security-team, see
> > https://www.debian.org/doc/manuals/developers-reference/pkgs.html#s5.6.4
>
> I'm familiar with the developers' reference. Since this bug report
> was filed by a security team member (Moritz) and tagged as a security
> bug, I was under the impression that authorization from the security
> team had been granted already.
I'm sorry if I gave that impression. When we file security bugs in the
BTS we try to get the information out to the maintainers as quickly
as possible. The assessment on the impact and status of stable/oldstable
are usually a bit more involved, so they're separate from the initial
bug report.
Cheers,
Moritz
Added tag(s) pending.
Request was from Marc Dequènes (Duck) <Duck@DuckCorp.org>
to control@bugs.debian.org.
(Thu, 26 Mar 2015 09:24:08 GMT) (full text, mbox, link).
Removed tag(s) pending.
Request was from Marc Dequènes (Duck) <Duck@DuckCorp.org>
to control@bugs.debian.org.
(Thu, 26 Mar 2015 09:27:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Eric Sharkey <sharkey@debian.org>:
Bug#778753; Package cabextract.
(Thu, 02 Apr 2015 20:18:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Eric Sharkey <sharkey@debian.org>.
(Thu, 02 Apr 2015 20:18:08 GMT) (full text, mbox, link).
Message #50 received at 778753@bugs.debian.org (full text, mbox, reply):
On Fri, Feb 20, 2015 at 09:25:56PM -0500, Eric Sharkey wrote:
> On Thu, Feb 19, 2015 at 5:38 AM, Moritz Muehlenhoff <jmm@inutil.org> wrote:
> > Upstream fix is here:
> > http://sourceforge.net/p/libmspack/code/217
> >
> > Since unstable has a more recent version than testing, could you make
> > a targeted jessie upload with this patch?
>
> I've written a new patch from scratch to fix cabextract 1.4 and
> uploaded this to jessie-security as 1.4-6.
>
> Please let me know if there are any issues. I don't think I've had to
> do a security upload in the last 10 years or so, so I'm a bit out of
> practice.
>
> I don't have a new build for sid yet. Maybe tomorrow.
The jessie release is scheduled for end of April, could you please
upload a fixed package?
Cheers,
Moritz
Reply sent
to Eric Sharkey <sharkey@debian.org>:
You have taken responsibility.
(Fri, 03 Apr 2015 00:09:05 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(Fri, 03 Apr 2015 00:09:05 GMT) (full text, mbox, link).
Message #55 received at 778753-close@bugs.debian.org (full text, mbox, reply):
Source: cabextract
Source-Version: 1.6-1
We believe that the bug you reported is fixed in the latest version of
cabextract, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 778753@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Eric Sharkey <sharkey@debian.org> (supplier of updated cabextract package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 02 Apr 2015 19:36:53 -0400
Source: cabextract
Binary: cabextract
Architecture: source i386
Version: 1.6-1
Distribution: unstable
Urgency: medium
Maintainer: Eric Sharkey <sharkey@debian.org>
Changed-By: Eric Sharkey <sharkey@debian.org>
Description:
cabextract - Microsoft Cabinet file unpacker
Closes: 778753
Changes:
cabextract (1.6-1) unstable; urgency=medium
.
* New upstream release: Closes: #778753
Checksums-Sha1:
87d2b17312435f38faab815dd908af012bdc3c35 1682 cabextract_1.6-1.dsc
64f6d5056d3e417a943648c23cb22218b7079ced 241731 cabextract_1.6.orig.tar.gz
157b65133d410508a2a64ef40f589d5e2788703c 6496 cabextract_1.6-1.debian.tar.xz
082e0aeba083d6ebd6afcd7031a362006b82a5e4 30736 cabextract_1.6-1_i386.deb
Checksums-Sha256:
e424fcb6c4d156fa359d1a45ce37c12dc1dee3561cb0ddb5892b53b5383f49bd 1682 cabextract_1.6-1.dsc
cee661b56555350d26943c5e127fc75dd290b7f75689d5ebc1f04957c4af55fb 241731 cabextract_1.6.orig.tar.gz
14e514ddeb099f34fdbcf953cc0c28e0433123e335f3e9fbb41120422f12f17f 6496 cabextract_1.6-1.debian.tar.xz
e3f873e45effe762932ac2544b954195e225f032d599a18a8bee3fd8e36e9efb 30736 cabextract_1.6-1_i386.deb
Files:
93f90f8a40a97a26a78c5393f4bb45ca 1682 utils optional cabextract_1.6-1.dsc
ee3ded0b1f84e5c6e3309bb36d701916 241731 utils optional cabextract_1.6.orig.tar.gz
b4acad0d7c0bc644eee966b17fcc9bbc 6496 utils optional cabextract_1.6-1.debian.tar.xz
789bd8e637192b0f10996c48ac2fb791 30736 utils optional cabextract_1.6-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJVHdN2AAoJEEXizaWn/ZD58EEQAMMLg0kiOAXhyq5hQcns0maA
F37aujxaR9KhyxFv7sDgKqKTHWl7sfGI3qebEB7iHqO/K6aAZwZgN3XdvfyzDFfK
nDaAMtKryhS6bcLlwruxSWf0YBAdg+A8i+Y0CZjKQl3DfxEEnlmZUBXB+vp2NLeC
G1Q6TZDvXXhN8+jwPuZ8TwdFAzj4rROwfHLUqVHGadCsR8wmYCjne8B0u38vcETx
9G3fLwmPLHyHFEdn/HHMPX6mZ6km9cDnPkB9cs1T4hOLJ2DF/TwXOOCf4IeM6IbO
bLELtYGV6+CDJ5zs0e9DmXYQplcBMgMBT/6kDLEIaqGdaNpi7yTaZ+Ls6SaBuwNR
6ZNjckQnYuOMvdagifWf42cTg0BQMeKluUt+hrAY+/DLX/VSwPPTm338v3tHgAjX
Mw0wzQ8V2AHgo7yQHT5WCEO+vp8JZ98KGUbjMZ4eIf17bNQKyfdoVZADd1yg1eYd
3D4WUjCDq8OcUZWxlJAE6JTDVMV/xOUthC3BgvcVzvNL0mOPU0fJFolvfgE3f6nM
Q8J3vQgwpB3WDglIdKG8kuRJBz8xUSAerqshIfMznYHXxTgDSJyN3l1AmKUvRioT
BL37vMv7eBPHnGVul/nlA9uBN25OfCjzGjCOW45GkFL7AZWA84PcwnMsrqci3MeY
FFzGx9SCCGRskAuHG6yB
=wRy5
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 25 May 2015 08:05:36 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:06:01 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon