First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 69315
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Luke Macken (RETIRED) <lewk@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 69315 depends on: Show dependency tree
Bug 69315 blocks:
Votes: 0    Show votes for this bug    Vote for this bug

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2004-10-28 13:26 0000 
cabextract 1.1 has been released to fix this

Changes since 1.0:
A security vulnerability has been fixed. If the files within a cabinet file include "../" in their filenames, this will be changed to "xx/", so cabinets cannot access the parent directory of where you want to extract them.


fonts herd,

please bump to 1.1

------- Comment #1 From Donnie Berkholz 2004-10-29 15:39:56 0000 ------- 
Done.

Needs stable keywords by: ppc sparc alpha hppa amd64 ia64.

------- Comment #2 From Donnie Berkholz 2004-10-29 15:45:04 0000 ------- 
BTW, suggested test is `emerge media-fonts/corefonts` -- they use cab archives.

------- Comment #3 From Sune Kloppenborg Jeppesen 2004-10-30 05:30:37 0000 ------- 
Thx Donnie.

Arches please mark cabextract-1.1 stable.

------- Comment #4 From Gustavo Zacarias (RETIRED) 2004-10-30 06:07:23 0000 ------- 
sparc tasty.

------- Comment #5 From Michael Hanselmann (hansmi) (RETIRED) 2004-10-30 11:46:57 0000 ------- 
Stable on ppc.

------- Comment #6 From SpanKY 2004-10-30 22:52:49 0000 ------- 
arm/hppa/ia64 stable

------- Comment #7 From Bryan Østergaard (RETIRED) 2004-10-31 02:31:39 0000 ------- 
Stable on alpha.

------- Comment #8 From Thierry Carrez (RETIRED) 2004-11-01 02:30:54 0000 ------- 
Not sure we need a GLSA for this one. Having root extract unknown .cab archives
from known locations to overwrite files seems like an unlikely scenario...

------- Comment #9 From Donnie Berkholz 2004-11-01 08:11:49 0000 ------- 
Good thing we know MD5's are safe, so we don't need to worry about a false .cab
being inserted. =)

------- Comment #10 From Thierry Carrez (RETIRED) 2004-11-02 11:17:05 0000 ------- 
This is CAN-2004-0916

------- Comment #11 From Jeremy Huddleston (RETIRED) 2004-11-02 12:25:08 0000 ------- 
stable amd64

------- Comment #12 From Thierry Carrez (RETIRED) 2004-11-02 13:51:23 0000 ------- 
Please vote on GLSA...

------- Comment #13 From Sune Kloppenborg Jeppesen 2004-11-02 14:40:37 0000 ------- 
I vote for no GLSA on this one.

------- Comment #14 From Matthias Geerdsen 2004-11-03 00:10:23 0000 ------- 
voting for no GLSA too

at least here we can vote today ;-)

------- Comment #15 From Thierry Carrez (RETIRED) 2004-11-03 00:52:03 0000 ------- 
OK then we close it.
First Last Prev Next    No search results available      Search page      Enter new bug