[arch-security] [ASA-201502-9] pigz: arbitrary write to files
Christian Rebischke
chris.rebischke at gmail.com
Mon Feb 9 20:56:25 UTC 2015
Arch Linux Security Advisory ASA-201502-9
=========================================
Severity: High
Date : 2015-02-09
CVE-ID : CVE-2015-1191
Package : pigz
Type : arbitrary write to files
Remote : yes
Link : https://wiki.archlinux.org/index.php/CVE
Summary
=======
The package pigz before version 2.3.3-1 is vulnerable to multiple directory
traversal vulnerabilities. That allows remote attackers to write to
arbitrary files via a (1) full pathname or (2) .. (dot dot) in an archive.
Resolution
==========
Upgrade to 2.3.3-1
# pacman -Syu "pigz>=2.3.3-1"
The problem has been fixed upstream in version 2.3.3.
Workaround
==========
None.
Description
===========
The package pigz before version 2.3.3-1 is vulnerable to multiple directory
traversal vulnerabilities. That allows remote attackers to write to
arbitrary files via a (1) full pathname or (2) .. (dot dot) in an archive.
Impact
======
A remote attacker is able to write files remotely.
References
==========
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1191
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20150209/02903218/attachment.asc>
More information about the arch-security
mailing list