Candidate: CVE-2015-2060
PublicDate: 2019-11-29 21:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2060
 http://www.openwall.com/lists/oss-security/2015/02/18/3
Description:
 cabextract before 1.6 does not properly check for leading slashes when
 extracting files, which allows remote attackers to conduct absolute
 directory traversal attacks via a malformed UTF-8 character that is changed
 to a UTF-8 encoded slash.
Ubuntu-Description:
 It was discovered that cabextract incorrectly handled certain malformed CAB
 files. A remote attacker could use this issue to write to arbitrary files on
 the host filesystem.
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778753
Priority: low
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N [5.3 MEDIUM]

Patches_cabextract:
 upstream: http://sourceforge.net/p/libmspack/code/217
upstream_cabextract: released (1.6-1)
lucid_cabextract: ignored (reached end-of-life)
precise_cabextract: ignored (reached end-of-life)
precise/esm_cabextract: DNE (precise was needed)
trusty_cabextract: ignored (out of standard support)
trusty/esm_cabextract: needed
utopic_cabextract: ignored (reached end-of-life)
vivid_cabextract: ignored (reached end-of-life)
vivid/stable-phone-overlay_cabextract: DNE
vivid/ubuntu-core_cabextract: DNE
wily_cabextract: not-affected (1.6-1)
xenial_cabextract: not-affected (1.6-1)
yakkety_cabextract: not-affected (1.6-1)
zesty_cabextract: not-affected (1.6-1)
artful_cabextract: not-affected (1.6-1)
bionic_cabextract: not-affected (1.6-1)
cosmic_cabextract: not-affected (1.6-1)
disco_cabextract: not-affected (1.6-1)
eoan_cabextract: not-affected (1.6-1)
focal_cabextract: not-affected (1.6-1)
groovy_cabextract: not-affected (1.6-1)
hirsute_cabextract: not-affected (1.6-1)
impish_cabextract: not-affected (1.6-1)
jammy_cabextract: not-affected (1.6-1)
devel_cabextract: not-affected (1.6-1)