69315 – app-arch/cabextract: File overwrite vulnerability

Bug 69315 - app-arch/cabextract: File overwrite vulnerability

Summary: app-arch/cabextract: File overwrite vulnerability

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All All

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://secunia.com/advisories/13009/
Whiteboard:	C3 [glsa?] lewk
Keywords:

Depends on:
Blocks:

Reported:	2004-10-28 13:26 UTC by Luke Macken (RETIRED)
Modified:	2011-10-30 22:40 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Luke Macken (RETIRED) gentoo-dev

2004-10-28 13:26:05 UTC

cabextract 1.1 has been released to fix this

Changes since 1.0:
A security vulnerability has been fixed. If the files within a cabinet file include "../" in their filenames, this will be changed to "xx/", so cabinets cannot access the parent directory of where you want to extract them.


fonts herd,

please bump to 1.1

Comment 1 Donnie Berkholz (RETIRED) gentoo-dev

2004-10-29 15:39:56 UTC

Done.

Needs stable keywords by: ppc sparc alpha hppa amd64 ia64.

Comment 2 Donnie Berkholz (RETIRED) gentoo-dev

2004-10-29 15:45:04 UTC

BTW, suggested test is `emerge media-fonts/corefonts` -- they use cab archives.

Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-10-30 05:30:37 UTC

Thx Donnie.

Arches please mark cabextract-1.1 stable.

Comment 4 Gustavo Zacarias (RETIRED) gentoo-dev

2004-10-30 06:07:23 UTC

sparc tasty.

Comment 5 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev

2004-10-30 11:46:57 UTC

Stable on ppc.

Comment 6 SpanKY gentoo-dev

2004-10-30 22:52:49 UTC

arm/hppa/ia64 stable

Comment 7 Bryan Østergaard (RETIRED) gentoo-dev

2004-10-31 02:31:39 UTC

Stable on alpha.

Comment 8 Thierry Carrez (RETIRED) gentoo-dev

2004-11-01 02:30:54 UTC

Not sure we need a GLSA for this one. Having root extract unknown .cab archives from known locations to overwrite files seems like an unlikely scenario...

Comment 9 Donnie Berkholz (RETIRED) gentoo-dev

2004-11-01 08:11:49 UTC

Good thing we know MD5's are safe, so we don't need to worry about a false .cab being inserted. =)

Comment 10 Thierry Carrez (RETIRED) gentoo-dev

2004-11-02 11:17:05 UTC

This is CAN-2004-0916

Comment 11 Jeremy Huddleston (RETIRED) gentoo-dev

2004-11-02 12:25:08 UTC

stable amd64

Comment 12 Thierry Carrez (RETIRED) gentoo-dev

2004-11-02 13:51:23 UTC

Please vote on GLSA...

Comment 13 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-11-02 14:40:37 UTC

I vote for no GLSA on this one.

Comment 14 Matthias Geerdsen (RETIRED) gentoo-dev

2004-11-03 00:10:23 UTC

voting for no GLSA too

at least here we can vote today ;-)

Comment 15 Thierry Carrez (RETIRED) gentoo-dev

2004-11-03 00:52:03 UTC

OK then we close it.