Report forwarded
to debian-bugs-dist@lists.debian.org, Raphael Geissert <geissert@debian.org>: Bug#774989; Package kgb.
(Fri, 09 Jan 2015 19:27:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Alexander Cherepanov <cherepan@mccme.ru>:
New Bug report received and forwarded. Copy sent to Raphael Geissert <geissert@debian.org>.
(Fri, 09 Jan 2015 19:27:06 GMT) (full text, mbox, link).
Package: kgb
Version: 1.0b4+ds-13.2
Tags: security
kgb is susceptible to a directory traversal vulnerability. While
extracting an archive, it will happily use absolute paths taken from the
archive. This can be exploited by a malicious archive to write files
outside the current directory.
A sample archive could be prepared in the following way:
$ touch /tmp/abs
$ kgb -0 test.kgb /tmp/abs
$ rm /tmp/abs
Then check it works:
$ ls /tmp/abs
ls: cannot access /tmp/abs: No such file or directory
$ kgb test.kgb
Extracting archive KGB_arch -0 test.kgb ...
0KB /tmp/abs: extracted
0KB -> 0KB w 0.00s.
$ ls /tmp/abs
/tmp/abs
Notes:
- kgb already rejects paths with .. ;
- kgb doesn't handle symlinks at all.
--
Alexander Cherepanov
Information forwarded
to debian-bugs-dist@lists.debian.org, Raphael Geissert <geissert@debian.org>: Bug#774989; Package kgb.
(Sun, 18 Jan 2015 20:33:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Raphael Geissert <geissert@debian.org>.
(Sun, 18 Jan 2015 20:33:09 GMT) (full text, mbox, link).
Control: retitle -1 kgb: CVE-2015-1192: directory traversal vulnerability
Hi,
CVE-2015-1192 was assigned for this issue.
Regards,
Salvatore
Changed Bug title to 'kgb: CVE-2015-1192: directory traversal vulnerability' from 'kgb: directory traversal vulnerability'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 774989-submit@bugs.debian.org.
(Sun, 18 Jan 2015 20:33:09 GMT) (full text, mbox, link).
Reply sent
to Raphael Geissert <geissert@debian.org>:
You have taken responsibility.
(Wed, 25 Jan 2017 23:24:05 GMT) (full text, mbox, link).
Notification sent
to Alexander Cherepanov <cherepan@mccme.ru>:
Bug acknowledged by developer.
(Wed, 25 Jan 2017 23:24:06 GMT) (full text, mbox, link).
Source: kgb
Source-Version: 1.0b4+ds-14
We believe that the bug you reported is fixed in the latest version of
kgb, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 774989@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Raphael Geissert <geissert@debian.org> (supplier of updated kgb package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA384
Format: 1.8
Date: Thu, 26 Jan 2017 00:02:13 +0100
Source: kgb
Binary: kgb
Architecture: source
Version: 1.0b4+ds-14
Distribution: unstable
Urgency: medium
Maintainer: Raphael Geissert <geissert@debian.org>
Changed-By: Raphael Geissert <geissert@debian.org>
Description:
kgb - Archiver for .kgb files
Closes: 733191774989791939
Changes:
kgb (1.0b4+ds-14) unstable; urgency=medium
.
* Acknowledge the NMU changes
* debian/control:
+ Add powerpcspe to the list of architectures (Closes: #733191)
+ Add arm64 to the list of architectures (Closes: #791939).
Thanks Martin Michlmayr for the build test
+ Update homepage
+ Bump Standards-Version
* debian/rules:
+ Use dpkg-buildflags
+ Add build-arch and build-indep targets
+ Make the cpp file a prerequisite of the build target
* Convert into a 3.0 quilt source package
+ Drop build dependency on quilt
* debian/patches/CVE-2015-1192.patch: prevent uncompression to an
absolute path (Closes: #774989).
Checksums-Sha1:
48a907ca865b380894b9d9232ee9b4d9dbaca5d7 1949 kgb_1.0b4+ds-14.dsc
3a1818f7d0dd275bd28bd6f05289f763f34db515 7432 kgb_1.0b4+ds-14.debian.tar.xz
Checksums-Sha256:
51a4a1ea9e4391148d1861cad8a9db9ef2fec7508154b5902c5e4a0bff2d02d0 1949 kgb_1.0b4+ds-14.dsc
e31a14de8f7eea491334981abefac05cfe71669845caeb46174d5f074b17ca80 7432 kgb_1.0b4+ds-14.debian.tar.xz
Files:
6a5a94e377333d25110855cd8834fee4 1949 utils optional kgb_1.0b4+ds-14.dsc
04e43e5b91dfc5521452d9ee40519143 7432 utils optional kgb_1.0b4+ds-14.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCQAGBQJYiS+QAAoJEEndpZui7Bp/XO8P/ipA2+DQg4zPoPnwGll1PqYN
fe6EPv/TZTcWM3EriCDRare7h0X1WH/Wcc4OBz0CWLn61oeA3bV/vtgxwFqvyOxJ
wRTGUb2w/VBA5Tezl2/PEZAJpVwTsrv564+VVviT8nNMu8mLQTzq0Clh7PFGFBM6
AhImVY2pmjbbUrCwnzighE894IVSp6Ww+1AmigWTvELg9sl4So/ha1tf9y/e+g2A
7LPQQmXezrtAWKimwFZU07To44W0UvcCL5Ui96QSdZ4EA9uGBQYL3UIdzgXOcaiM
oA4IVnHlBsny6totk7vSIOBfMVbWURSrqfwZ/bN8w5GsUFRlTY0od4Uq9S+R75Nr
QoqwWAR/zQklABFx4/cDROm8aYcF7Ukx27SHjQrw7UcqMQubLPmMEWtZFp1FLiMQ
M1tin1IP0fItZgVaZzVYwuMcMfzKBrJ4sKdrw9cMVT+oOfIeNAUA7AsqwbU/CWKS
UcbudisS/KkYHwWjXXjM9PWNNsciDJ4Ky1+HS0mQ5zSSZ009xtwTW6imzgnlzLL0
lvjASPPib7yTEgVEm/WAh465wo7kszcFWufDK7HL7T5gdWDxQqNySfWkd3AVVEkf
9z/GfbBZFsJQ/aEM+IY7qtNw44zKvyVNcHXRDngsW9+6MD8G3BcS3Z/fbaTCWEMo
Vu5CfGCGQ3130xO78jng
=nD+M
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 05 Mar 2017 07:36:50 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.