y.debian.org
I've put the 'security' tag on this bug as a straightforward and
documented config will cause clients to miss security updates. A simple
test from an admin of this setup would reveal the problem so the danger
doesn't seem great:-)
--
Alexander Cherepanov
-bin/cvename.cgi?name=CVE-2013-0296 .
--
Alexander Cherepanov
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
peed: 1
KB/sec
$ ls ../rel
../rel
--
Alexander Cherepanov
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
0KB -> 0KB w 0.00s.
$ ls /tmp/abs
/tmp/abs
Notes:
- kgb already rejects paths with .. ;
- kgb doesn't handle symlinks at all.
--
Alexander Cherepanov
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Troubl
such file or directory
$ unpigz -N rel.gz
$ ls ../rel
../rel
--
Alexander Cherepanov
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
100.0 %
$ ha x test.ha
HA 0.999� Copyright (c) 1995 Harri Hirvola
Archive : test.ha (2 files)
Unpacking CPY 100 % /tmp/abs
Unpacking CPY 100 % ../rel
$ ls /tmp/abs ../rel
../rel /tmp/abs
--
Alexander Cherepanov
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.o
s just CVE-2005-1080 not fixed or something else. But
please note that CVE-2005-1080 talks about .. only.
--
Alexander Cherepanov
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
_keys,
i.e. your own files, strictly within filesystem permissions.
Do you think this is a valid case for a CVE?
Yes.
--
Alexander Cherepanov
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
rast with tar
which is secure by default.
--
Alexander Cherepanov
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
For example, let's create a sample archive:
ln -s /tmp dir
paxtar cvf test.tar dir
rm dir
mkdir dir
echo hello > dir/file
paxtar rvf test.tar dir/file
rm -r dir
and then test it:
paxtar xvf test.tar
This will create a symlink "dir" in the current directory and
" in the current directory and a file
"/tmp/file".
--
Alexander Cherepanov
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
e
"/tmp/file".
This can also be exploited through zip, arj and maybe other archives.
--
Alexander Cherepanov
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
binutils/17512).
Please note that PR binutils/17512 includes much more issues/fixes than
those CVEs. And there is also PR binutils/17531 ...
--
Alexander Cherepanov
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Conta
Hi,
On 2014-11-19 15:11, Rene Engelhard wrote:
On Wed, Nov 19, 2014 at 01:26:54PM +0300, Alexander Cherepanov wrote:
Package: libreoffice
Version: 1:3.5.4+dfsg2-0+deb7u2
Please note that there are several crashes in the version of
LibreOffice shipped with Debian wheezy. Issues are reported
Package: libreoffice
Version: 1:3.5.4+dfsg2-0+deb7u2
Please note that there are several crashes in the version of LibreOffice
shipped with Debian wheezy. Issues are reported upstream, the list is here:
http://www.openwall.com/lists/oss-security/2014/11/19/3
--
Alexander Cherepanov
--
To
15 matches
Mail list logo
