Bug 912878 (CVE-2015-1038) - VUL-1: CVE-2015-1038: p7zip: directory traversal vulnerability
Summary: VUL-1: CVE-2015-1038: p7zip: directory traversal vulnerability
Status: RESOLVED FIXED
Alias: CVE-2015-1038
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Minor
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/112207/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-01-13 10:19 UTC by Victor Pereira
Modified: 2016-04-27 19:33 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2015-01-13 10:19:48 UTC 
CVE-2015-1038

  It was reported [1] that p7zip suffers from a directory traversal flaw.  This could for the overwriting of arbitrary files through uncompressing a crafted archive, with the privileges of the user running 7z.  For example:
  
  $ ln -s /tmp foo
  $ 7z a test.7z foo
  $ rm foo
  $ mkdir foo
  $ echo hello > foo/test
  $ 7z a test.7z foo/test
  $ rm -rf foo
  $ 7z x test.7z
  
  This will create 'foo' as a symlink to /tmp which will in turn contain the file 'test' with the privileges of the user unarchiving 'test.7z'.


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1179505
Comment 1 Swamp Workflow Management 2015-01-13 23:00:15 UTC 
bugbot adjusting priority
Comment 4 Petr Gajdos 2015-06-23 09:23:24 UTC 
There's patch in debian bugzilla:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774660#34
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774660#46

Tested with 9.38.1.

BEFORE

$ 7z x test.7z

7-Zip [64] 9.38 beta  Copyright (c) 1999-2014 Igor Pavlov  2015-01-03
p7zip Version 9.38.1 (locale=C,Utf16=off,HugeFiles=on,1 CPU)

Processing archive: test.7z

Extracting  foo
Extracting  foo/test

Everything is Ok

Files: 2
Size:       10
Compressed: 178
$ cat /tmp/test
hello
$

AFTER

$ 7z x test.7z

7-Zip [64] 9.38 beta  Copyright (c) 1999-2014 Igor Pavlov  2015-01-03
p7zip Version 9.38.1 (locale=C,Utf16=off,HugeFiles=on,1 CPU)

Processing archive: test.7z

Extracting  foo
ERROR: Can not open output file : ./foo/test
Skipping    foo/test

Sub items Errors: 1

Archives with Errors: 1

Sub items Errors: 1

$ cat /tmp/test
cat: /tmp/test: No such file or directory
$
Comment 5 Petr Gajdos 2015-06-23 10:33:33 UTC 
oSF: sr#313236
oS:  mr#313241
12:  mr#60890
Comment 7 Swamp Workflow Management 2015-07-01 08:05:29 UTC 
openSUSE-SU-2015:1162-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 912878
CVE References: CVE-2015-1038
Sources used:
openSUSE 13.2 (src):    p7zip-9.20.1-12.3.1
openSUSE 13.1 (src):    p7zip-9.20.1-10.3.1
Comment 8 Swamp Workflow Management 2015-08-25 09:09:53 UTC 
SUSE-SU-2015:1433-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 912878
CVE References: CVE-2015-1038
Sources used:
SUSE Linux Enterprise Server 12 (src):    p7zip-9.20.1-3.2
SUSE Linux Enterprise Desktop 12 (src):    p7zip-9.20.1-3.2
Comment 9 Marcus Meissner 2015-09-04 15:49:59 UTC 
released