Bug 1185717 (CVE-2015-1386)
| Summary: | CVE-2015-1386 unshield: directory traversal | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Kurt Seifried <kseifried> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED WONTFIX | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | andreas.bierfert, pere |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-06-10 21:06:31 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1185718, 1185719 | ||
| Bug Blocks: | |||
Created unshield tracking bugs for this issue: Affects: fedora-all [bug 1185718] Affects: epel-all [bug 1185719] This issue is reported upstream as https://github.com/twogood/unshield/issues/42 . Still unsolved upstream. |
Jakub Wilk reports: Package: unshield Version: 1.0-1 Tags: security unshield is vulnerable to directory traversal via "../" sequences. As a proof of concept, unpacking the attached InstallShield archive creates a file in /tmp: $ ls /tmp/moo ls: cannot access /tmp/moo: No such file or directory $ unshield x data1.cab Cabinet: data1.cab extracting: ./Bovine_Files/../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/moo -------- ------- 1 files $ ls /tmp/moo /tmp/moo -- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (990, 'unstable'), (500, 'experimental') Architecture: i386 (x86_64) Foreign Architectures: amd64 Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init)