Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20151021214736.CE66B72E052@smtpvbsrv1.mitre.org>
Date: Wed, 21 Oct 2015 17:47:36 -0400 (EDT)
From: cve-assign@...re.org
To: tyhicks@...onical.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, security@...ntu.com, vda.linux@...glemail.com
Subject: Re: CVE Request: BusyBox tar directory traversal

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> http://git.busybox.net/busybox/commit/?id=a116552869db5e7793ae10968eb3c962c69b3d8c
> https://bugs.busybox.net/8411

> an archive which contains:
> symlink/evil.py

> Untarring it puts evil.py in '/tmp'

Use CVE-2011-5325.


>> I forgot to mention that I took a look at BusyBox's protections against
>> directory traversal attacks while extracting files with absolute paths
>> or dot dot ("..") components and it seems to sufficiently protect
>> against those attacks.

OK, so there's no additional CVE ID.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWKAcCAAoJEL54rhJi8gl5ea0QALBMmvSwaP4IGkA35YlKXba+
Hi/hFNBfegot9cz4+UhvahPo/dO9Tqlbb6xFeD5vqotdiXhuj/4AYnaARqvrgHO0
bvS+S4KZ5vBn1yL5cREGjMdYP8pELnSs4gZzcNTqjFqY1wTjyt8PLs6HkVMKutn7
EmUdyzFrbVO6y8Lnwf9q2XDUvI6Z7ZMdbTVQes2DdwJM+HnB7i2ijdJQfZYF8x59
wuOqbYCp7CAJ15cPNFrUHbre9j3N0HAAt9aMzp075pHEZHs+YQzyW31bfJPrLUAU
tDFemKj8ydkSxSCComGPdXmyShtTdBiMlIufcpfkze9JJq4nv3cSyytXDtctH2kD
O/SNSxQhFK3kjHWixcSMe1ezUaD+ReP27yRdp0yW9ifEgUV6uacv1OlJyg/5s0ou
aH0iK6kSJgBc/pjzW+xTStTypjyiWjA3mBSGLsM1tYDCdrvfyScV65YmSYxxn1pH
bR0K0oIiloH8Ed1UnwFEe4uMA4YXtpHavH1rTMhXWCnE6RjIvrfHwzU4JsUcXMZR
dndrLI1X5RHgsIzypigrrMcR7mdqJzjbOgZbtpeqSQsWjsd/5EKYs3fDpDPBGP+S
gg+8gk9t4u2rPV4uVbtYV7t22GjeYlxSVs4JIgGgIf1wxiyT0d6eBDJveRKcNPaF
aKCQwEhg4PaApMN1HyuJ
=Rm/b
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.