Debian has issued an advisory today (March 5): https://lists.debian.org/debian-security-announce/2015/msg00064.html The DSA will be posted here: https://www.debian.org/security/2015/dsa-3180 I've fixed this in libarchive-3.1.2-5.mga5. It will also be fixed in libarchive-3.1.2-2.1.mga4, currently in SVN. I'll push it soon if no CVE is assigned. The fix was posted here, and the CVE request in the thread is still pending: http://openwall.com/lists/oss-security/2015/03/05/7 Reproducible: Steps to Reproduce:
URL: (none) => http://lwn.net/Vulnerabilities/635764/
It doesn't look like this is getting a CVE (no responses). Patched package uploaded for Mageia 4. Advisory: ======================== Updated libarchive packages fix security vulnerability: Alexander Cherepanov discovered that bsdcpio, an implementation of the "cpio" program part of the libarchive project, is susceptible to a directory traversal vulnerability via absolute paths. References: http://openwall.com/lists/oss-security/2015/01/16/7 https://www.debian.org/security/2015/dsa-3180 ======================== Updated packages in core/updates_testing: ======================== libarchive13-3.1.2-2.1.mga4 libarchive-devel-3.1.2-2.1.mga4 bsdtar-3.1.2-2.1.mga4 bsdcpio-3.1.2-2.1.mga4 from libarchive-3.1.2-2.1.mga4.src.rpm
Assignee: bugsquad => qa-bugs
The issue is in the bsdcpio package. You do have to update libarchive13 as well for the fix to take effect. PoC is here: https://groups.google.com/forum/#!msg/libarchive-discuss/dN9y1VvE1Qk/Z9uerigjQn0J Note, just use "bsdcpio" and not "./bsdcpio" I was able to reproduce the results in the link above before the update. After the update, it ends with: $ bsdcpio -iv < test.cpio /tmp/abs /tmp/abs: Path is absolute 1 block $ ls /tmp/abs ls: cannot access /tmp/abs: No such file or directory Testing complete Mageia 4 i586.
Whiteboard: (none) => has_procedure MGA4-32-OK
PoC fix verified to work on MGA4-x86-64 in a VBox VM. Marking as MGA4-64-OK .
CC: (none) => shlomifWhiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK MGA4-64-OK
Validating. Advisory uploaded. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0106.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
This has finally been assigned a CVE: http://openwall.com/lists/oss-security/2015/03/15/7 Advisory: ======================== Updated libarchive packages fix security vulnerability: Alexander Cherepanov discovered that bsdcpio, an implementation of the "cpio" program part of the libarchive project, is susceptible to a directory traversal vulnerability via absolute paths (CVE-2015-2304). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2304 http://openwall.com/lists/oss-security/2015/03/15/7 https://www.debian.org/security/2015/dsa-3180
Summary: libarchive new directory traversal security issue in bsdcpio => libarchive new directory traversal security issue in bsdcpio (CVE-2015-2304)