FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

p7zip -- directory traversal vulnerability

Affected packages
p7zip < 9.38.1_2

Details

VuXML ID 8f5c9dd6-5cac-11e5-9ad8-14dae9d210b8
Discovery 2015-01-05
Entry 2015-09-16

Alexander Cherepanov reports:

7z (and 7zr) is susceptible to a directory traversal vulnerability. While extracting an archive, it will extract symlinks and then follow them if they are referenced in further entries. This can be exploited by a rogue archive to write files outside the current directory.

References

CVE Name CVE-2015-1038
URL http://sourceforge.net/p/p7zip/bugs/147/
URL http://www.openwall.com/lists/oss-security/2015/01/11/2
URL https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774660