PublicDateAtUSN: 2015-03-15
Candidate: CVE-2015-2304
PublicDate: 2015-03-15 19:59:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2304
 http://www.openwall.com/lists/oss-security/2015/01/16/7
 https://github.com/libarchive/libarchive/pull/110
 http://www.openwall.com/lists/oss-security/2015/01/07/5
 http://www.debian.org/security/2015/dsa-3180
 https://ubuntu.com/security/notices/USN-2549-1
Description:
 Absolute path traversal vulnerability in bsdcpio in libarchive 3.1.2 and
 earlier allows remote attackers to write to arbitrary files via a full
 pathname in an archive.
Ubuntu-Description:
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778266
 https://groups.google.com/forum/#!msg/libarchive-discuss/dN9y1VvE1Qk/Z9uerigjQn0J
Priority: medium
Discovered-by:
Assigned-to: mdeslaur
CVSS: 

Patches_libarchive:
 upstream: https://github.com/libarchive/libarchive/commit/59357157706d47c365b2227739e17daba3607526
upstream_libarchive: released (3.1.2-11)
lucid_libarchive: ignored (reached end-of-life)
precise_libarchive: released (3.0.3-6ubuntu1.1)
trusty_libarchive: released (3.1.2-7ubuntu2.1)
trusty/esm_libarchive: released (3.1.2-7ubuntu2.1)
utopic_libarchive: released (3.1.2-9ubuntu0.1)
devel_libarchive: not-affected (3.1.2-11)