Bug 1539685 (CVE-2017-7516) - CVE-2017-7516 cpio: --no-absolute-filenames bypass via symlinks
Summary: CVE-2017-7516 cpio: --no-absolute-filenames bypass via symlinks
Status: CLOSED DUPLICATE of bug 1179773
Alias: CVE-2017-7516
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Whiteboard: impact=moderate,public=20170605,repor...
Keywords: Security
Depends On: 1188590 1539687 1539688
Blocks: 1458829
TreeView+ depends on / blocked
Reported: 2018-01-29 12:44 UTC by Cedric Buissart ๐Ÿถ
Modified: 2019-06-08 22:39 UTC (History)
9 users (show)

Clone Of:
Last Closed: 2018-02-23 11:55:28 UTC

Attachments (Terms of Use)

Description Cedric Buissart ๐Ÿถ 2018-01-29 12:44:53 UTC
Note: this bug is actually a duplicate of CVE-2015-1197. See CVE-2015-1197 for information regarding this.

A possible --no-absolute-filenames bypass while extracting a malicious archive in cpio. This allows for arbitrary file creation.

Comment 1 Cedric Buissart ๐Ÿถ 2018-01-29 12:46:21 UTC
External References:


Comment 2 Cedric Buissart ๐Ÿถ 2018-01-29 12:54:18 UTC
Created cpio tracking bugs for this issue:

Affects: fedora-all [bug 1539688]

Comment 4 Adam Mariลก 2018-01-29 15:24:37 UTC

Name: Cedric Buissart (Red Hat)

Comment 6 Salvatore Bonaccorso 2018-02-18 21:30:48 UTC
Hi Cedric,

Isn't that a duplicate of CVE-2015-1197?


Comment 7 Salvatore Bonaccorso 2018-02-18 21:45:20 UTC
Sorry to be more specific, there are references in the MITRE entry at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1197 . 


Was posted on the cpio bug list, but I think it never got a reply. Several distributions seem to have then applied the patch from SuSE (at least in Debian, SUSE, Ubuntu, Mageia).


Comment 8 Salvatore Bonaccorso 2018-02-20 05:45:31 UTC
Hi Doran, hi Cedric

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7516 has been updated.


Comment 9 Cedric Buissart ๐Ÿถ 2018-02-23 11:55:28 UTC
Hi Salvatore,
Ouch ... thanks! I had missed it :(

Comment 10 Cedric Buissart ๐Ÿถ 2018-03-13 11:43:09 UTC

*** This bug has been marked as a duplicate of bug 1179773 ***

Note You need to log in before you can comment on or make changes to this bug.