Bug 156314 - CAN-2005-1229 cpio directory traversal issue
CAN-2005-1229 cpio directory traversal issue
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: cpio (Show other bugs)
3
All Linux
medium Severity low
: ---
: ---
Assigned To: Peter Vrabec
Brock Organ
impact=low,public=20050420,source=cve...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-04-28 16:46 EDT by Josh Bressers
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-05-17 08:27:45 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
fix candidate for devel, it needs more tests (2.45 KB, patch)
2005-05-10 09:10 EDT, Peter Vrabec
no flags Details | Diff
new patch from ALT Linux, i use it for devel (6.78 KB, patch)
2005-05-17 08:27 EDT, Peter Vrabec
no flags Details | Diff

  None (edit)
Description Josh Bressers 2005-04-28 16:46:22 EDT
+++ This bug was initially created as a clone of Bug #156313 +++

Directory traversal vulnerability in cpio 2.6 and earlier allows remote
attackers to write to arbitrary directories via a .. (dot dot) in a cpio file.
Comment 1 Peter Vrabec 2005-05-10 09:10:35 EDT
Created attachment 114202 [details]
fix candidate for devel, it needs more tests

when --no-absolute-filenames used, it skip members with '..' in name(include
links).
Comment 2 Peter Vrabec 2005-05-10 09:20:16 EDT
Should be there a new option to disallow '..' by default,
or disallow '..' when --no-absolute-filenames used?

I would like to know which variant is the best one.

Comment 3 Josh Bressers 2005-05-10 09:42:44 EDT
I think it would be better to disallow absolute filenames by default and have an
option to enable them.  This is what tar does.  It will strip out /../ unless
you tell it not to.
Comment 4 Peter Vrabec 2005-05-17 08:27:05 EDT
Created attachment 114460 [details]
new patch from ALT Linux, i use it for devel
Comment 5 Michal Jaegermann 2005-07-12 16:37:59 EDT
A minor issue.  cpio.texi does not reflect changes in options semantics;
only cpio.info is patched.

Note You need to log in before you can comment on or make changes to this bug.