CVE-2015-2304

Published: 15 March 2015

Absolute path traversal vulnerability in bsdcpio in libarchive 3.1.2 and earlier allows remote attackers to write to arbitrary files via a full pathname in an archive.

Priority

Status

Package	Release	Status
libarchive Launchpad, Ubuntu, Debian	lucid	Ignored (end of life)
	precise	Released (3.0.3-6ubuntu1.1)
	trusty	Released (3.1.2-7ubuntu2.1)
	upstream	Released (3.1.2-11)
	utopic	Released (3.1.2-9ubuntu0.1)
	Patches: upstream: https://github.com/libarchive/libarchive/commit/59357157706d47c365b2227739e17daba3607526

References

http://www.openwall.com/lists/oss-security/2015/01/16/7
https://github.com/libarchive/libarchive/pull/110
http://www.openwall.com/lists/oss-security/2015/01/07/5
http://www.debian.org/security/2015/dsa-3180
https://ubuntu.com/security/notices/USN-2549-1
https://www.cve.org/CVERecord?id=CVE-2015-2304
NVD
Launchpad
Debian

Bugs

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778266
https://groups.google.com/forum/#!msg/libarchive-discuss/dN9y1VvE1Qk/Z9uerigjQn0J

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›