Bugzilla – Bug 913635
VUL-0: CVE-2015-1193 CVE-2015-1194: pax: path traversal and symlink following vulnerability
Last modified: 2016-09-08 12:22:44 UTC
CVE-2015-1193 and CVE-2015-1194 paxtar is susceptible to directory traversal vulnerabilities. They can be exploited by a rogue archive to write files outside the current directory. 1. paxtar will extract files with .. components in names. For example, let's create a sample archive: echo hello > ../file paxtar cvf test.tar ../file rm ../file and then test it: paxtar xvf test.tar This will create a file "../file". 2. While extracting an archive, it will extract symlinks and then follow them if they are referenced in further entries. For example, let's create a sample archive: ln -s /tmp dir paxtar cvf test.tar dir rm dir mkdir dir echo hello > dir/file paxtar rvf test.tar dir/file rm -r dir and then test it: paxtar xvf test.tar This will create a symlink "dir" in the current directory and a file "/tmp/file". References: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774716 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1193 http://seclists.org/oss-sec/2015/q1/170 http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1193.html
bugbot adjusting priority
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-03-19. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/60931
(In reply to Swamp Workflow Management from comment #2) > Please submit fixed packages until 2015-03-19. Since no working fixes exist, that's impossible. Upstream reverted all changes because they made more problems then they fixed.
I canceled the swamp again.
I don't see that anybody is really interested in fixing this. We removed pax for SLE12 SP1 and replaced it with star, closing this one as wontfix.