Bug 1539685 (CVE-2017-7516) - CVE-2017-7516 cpio: --no-absolute-filenames bypass via symlinks
Summary: CVE-2017-7516 cpio: --no-absolute-filenames bypass via symlinks
Status: CLOSED DUPLICATE of bug 1179773
Alias: CVE-2017-7516
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
(Show other bugs)
Version: unspecified
Hardware: All Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20170605,repor...
Keywords: Security
Depends On: 1188590 1539687 1539688
Blocks: 1458829
TreeView+ depends on / blocked
 
Reported: 2018-01-29 12:44 UTC by Cedric Buissart
Modified: 2018-09-06 05:12 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-02-23 11:55:28 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Cedric Buissart 2018-01-29 12:44:53 UTC
Note: this bug is actually a duplicate of CVE-2015-1197. See CVE-2015-1197 for information regarding this.

A possible --no-absolute-filenames bypass while extracting a malicious archive in cpio. This allows for arbitrary file creation.

Comment 1 Cedric Buissart 2018-01-29 12:46:21 UTC
External References:

http://lists.gnu.org/archive/html/bug-cpio/2017-06/msg00001.html

Comment 2 Cedric Buissart 2018-01-29 12:54:18 UTC
Created cpio tracking bugs for this issue:

Affects: fedora-all [bug 1539688]

Comment 4 Adam Mariš 2018-01-29 15:24:37 UTC
Acknowledgments:

Name: Cedric Buissart (Red Hat)

Comment 6 Salvatore Bonaccorso 2018-02-18 21:30:48 UTC
Hi Cedric,

Isn't that a duplicate of CVE-2015-1197?

Regards,
Salvatore

Comment 7 Salvatore Bonaccorso 2018-02-18 21:45:20 UTC
Sorry to be more specific, there are references in the MITRE entry at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1197 . 

https://lists.gnu.org/archive/html/bug-cpio/2015-01/msg00000.html

Was posted on the cpio bug list, but I think it never got a reply. Several distributions seem to have then applied the patch from SuSE (at least in Debian, SUSE, Ubuntu, Mageia).

Regards,
Salvatore

Comment 8 Salvatore Bonaccorso 2018-02-20 05:45:31 UTC
Hi Doran, hi Cedric

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7516 has been updated.

Regards,
Salvatore

Comment 9 Cedric Buissart 2018-02-23 11:55:28 UTC
Hi Salvatore,
Ouch ... thanks! I had missed it :(

Comment 10 Cedric Buissart 2018-03-13 11:43:09 UTC

*** This bug has been marked as a duplicate of bug 1179773 ***


Note You need to log in before you can comment on or make changes to this bug.