Debian Bug report logs - #774989
kgb: CVE-2015-1192: directory traversal vulnerability

version graph

Package: kgb; Maintainer for kgb is Raphael Geissert <geissert@debian.org>; Source for kgb is src:kgb (PTS, buildd, popcon).

Reported by: Alexander Cherepanov <cherepan@mccme.ru>

Date: Fri, 9 Jan 2015 19:27:02 UTC

Severity: normal

Tags: security

Found in version kgb/1.0b4+ds-13.2

Fixed in version kgb/1.0b4+ds-14

Done: Raphael Geissert <geissert@debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Raphael Geissert <geissert@debian.org>:
Bug#774989; Package kgb. (Fri, 09 Jan 2015 19:27:06 GMT) (full text, mbox, link).


Acknowledgement sent to Alexander Cherepanov <cherepan@mccme.ru>:
New Bug report received and forwarded. Copy sent to Raphael Geissert <geissert@debian.org>. (Fri, 09 Jan 2015 19:27:06 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Alexander Cherepanov <cherepan@mccme.ru>
To: submit@bugs.debian.org
Subject: kgb: directory traversal vulnerability
Date: Fri, 09 Jan 2015 22:25:18 +0300
Package: kgb
Version: 1.0b4+ds-13.2
Tags: security

kgb is susceptible to a directory traversal vulnerability. While 
extracting an archive, it will happily use absolute paths taken from the 
archive. This can be exploited by a malicious archive to write files 
outside the current directory.

A sample archive could be prepared in the following way:

$ touch /tmp/abs
$ kgb -0 test.kgb /tmp/abs
$ rm /tmp/abs

Then check it works:

$ ls /tmp/abs
ls: cannot access /tmp/abs: No such file or directory

$ kgb test.kgb
Extracting archive KGB_arch -0 test.kgb ...
         0KB /tmp/abs: extracted
0KB -> 0KB w 0.00s.

$ ls /tmp/abs
/tmp/abs


Notes:
- kgb already rejects paths with .. ;
- kgb doesn't handle symlinks at all.

-- 
Alexander Cherepanov



Information forwarded to debian-bugs-dist@lists.debian.org, Raphael Geissert <geissert@debian.org>:
Bug#774989; Package kgb. (Sun, 18 Jan 2015 20:33:09 GMT) (full text, mbox, link).


Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Raphael Geissert <geissert@debian.org>. (Sun, 18 Jan 2015 20:33:09 GMT) (full text, mbox, link).


Message #10 received at 774989@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Alexander Cherepanov <cherepan@mccme.ru>, 774989@bugs.debian.org
Subject: Re: Bug#774989: kgb: directory traversal vulnerability
Date: Sun, 18 Jan 2015 21:31:27 +0100
Control: retitle -1 kgb: CVE-2015-1192: directory traversal vulnerability

Hi,

CVE-2015-1192 was assigned for this issue.

Regards,
Salvatore



Changed Bug title to 'kgb: CVE-2015-1192: directory traversal vulnerability' from 'kgb: directory traversal vulnerability' Request was from Salvatore Bonaccorso <carnil@debian.org> to 774989-submit@bugs.debian.org. (Sun, 18 Jan 2015 20:33:09 GMT) (full text, mbox, link).


Reply sent to Raphael Geissert <geissert@debian.org>:
You have taken responsibility. (Wed, 25 Jan 2017 23:24:05 GMT) (full text, mbox, link).


Notification sent to Alexander Cherepanov <cherepan@mccme.ru>:
Bug acknowledged by developer. (Wed, 25 Jan 2017 23:24:06 GMT) (full text, mbox, link).


Message #17 received at 774989-close@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <geissert@debian.org>
To: 774989-close@bugs.debian.org
Subject: Bug#774989: fixed in kgb 1.0b4+ds-14
Date: Wed, 25 Jan 2017 23:22:55 +0000
Source: kgb
Source-Version: 1.0b4+ds-14

We believe that the bug you reported is fixed in the latest version of
kgb, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 774989@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Raphael Geissert <geissert@debian.org> (supplier of updated kgb package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA384

Format: 1.8
Date: Thu, 26 Jan 2017 00:02:13 +0100
Source: kgb
Binary: kgb
Architecture: source
Version: 1.0b4+ds-14
Distribution: unstable
Urgency: medium
Maintainer: Raphael Geissert <geissert@debian.org>
Changed-By: Raphael Geissert <geissert@debian.org>
Description:
 kgb        - Archiver for .kgb files
Closes: 733191 774989 791939
Changes:
 kgb (1.0b4+ds-14) unstable; urgency=medium
 .
   * Acknowledge the NMU changes
   * debian/control:
     + Add powerpcspe to the list of architectures (Closes: #733191)
     + Add arm64 to the list of architectures (Closes: #791939).
       Thanks Martin Michlmayr for the build test
     + Update homepage
     + Bump Standards-Version
   * debian/rules:
     + Use dpkg-buildflags
     + Add build-arch and build-indep targets
     + Make the cpp file a prerequisite of the build target
   * Convert into a 3.0 quilt source package
     + Drop build dependency on quilt
   * debian/patches/CVE-2015-1192.patch: prevent uncompression to an
     absolute path (Closes: #774989).
Checksums-Sha1:
 48a907ca865b380894b9d9232ee9b4d9dbaca5d7 1949 kgb_1.0b4+ds-14.dsc
 3a1818f7d0dd275bd28bd6f05289f763f34db515 7432 kgb_1.0b4+ds-14.debian.tar.xz
Checksums-Sha256:
 51a4a1ea9e4391148d1861cad8a9db9ef2fec7508154b5902c5e4a0bff2d02d0 1949 kgb_1.0b4+ds-14.dsc
 e31a14de8f7eea491334981abefac05cfe71669845caeb46174d5f074b17ca80 7432 kgb_1.0b4+ds-14.debian.tar.xz
Files:
 6a5a94e377333d25110855cd8834fee4 1949 utils optional kgb_1.0b4+ds-14.dsc
 04e43e5b91dfc5521452d9ee40519143 7432 utils optional kgb_1.0b4+ds-14.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCQAGBQJYiS+QAAoJEEndpZui7Bp/XO8P/ipA2+DQg4zPoPnwGll1PqYN
fe6EPv/TZTcWM3EriCDRare7h0X1WH/Wcc4OBz0CWLn61oeA3bV/vtgxwFqvyOxJ
wRTGUb2w/VBA5Tezl2/PEZAJpVwTsrv564+VVviT8nNMu8mLQTzq0Clh7PFGFBM6
AhImVY2pmjbbUrCwnzighE894IVSp6Ww+1AmigWTvELg9sl4So/ha1tf9y/e+g2A
7LPQQmXezrtAWKimwFZU07To44W0UvcCL5Ui96QSdZ4EA9uGBQYL3UIdzgXOcaiM
oA4IVnHlBsny6totk7vSIOBfMVbWURSrqfwZ/bN8w5GsUFRlTY0od4Uq9S+R75Nr
QoqwWAR/zQklABFx4/cDROm8aYcF7Ukx27SHjQrw7UcqMQubLPmMEWtZFp1FLiMQ
M1tin1IP0fItZgVaZzVYwuMcMfzKBrJ4sKdrw9cMVT+oOfIeNAUA7AsqwbU/CWKS
UcbudisS/KkYHwWjXXjM9PWNNsciDJ4Ky1+HS0mQ5zSSZ009xtwTW6imzgnlzLL0
lvjASPPib7yTEgVEm/WAh465wo7kszcFWufDK7HL7T5gdWDxQqNySfWkd3AVVEkf
9z/GfbBZFsJQ/aEM+IY7qtNw44zKvyVNcHXRDngsW9+6MD8G3BcS3Z/fbaTCWEMo
Vu5CfGCGQ3130xO78jng
=nD+M
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 05 Mar 2017 07:36:50 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 19:53:26 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.