Bug 1121032 (CVE-2015-9275)

Summary:	VUL-0: CVE-2015-9275: arc: directory traversal
Product:	[openSUSE] openSUSE Distribution	Reporter:	Karol Babioch <karol>
Component:	Security	Assignee:	Marcus Meissner <meissner>
Status:	CONFIRMED ---	QA Contact:	Security Team bot <security-team>
Severity:	Minor
Priority:	P3 - Medium	CC:	crrodriguez, darin, karol, mpluskal, mseben, pth, werner, wolfgang.frisch
Version:	Leap 15.1
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/222273/
Whiteboard:
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description Karol Babioch 2019-01-08 08:37:51 UTC

ARC 5.21q allows directory traversal via a full pathname in an archive file.

Debian patches:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774527#10

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1179142
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-9275
https://bugs.debian.org/774527
http://www.cvedetails.com/cve/CVE-2015-9275/

Comment 1 Wolfgang Frisch 2020-01-16 15:05:16 UTC

arc-5.21q in openSUSE Leap 15.1 is vulnerable.

Comment 2 Swamp Workflow Management 2020-01-17 09:50:06 UTC

This is an autogenerated message for OBS integration:
This bug (1121032) was mentioned in
https://build.opensuse.org/request/show/765167 15.1 / arc
https://build.opensuse.org/request/show/765168 Backports:SLE-15 / arc
https://build.opensuse.org/request/show/765169 Backports:SLE-15-SP1 / arc

Comment 3 Swamp Workflow Management 2020-01-25 17:13:35 UTC

openSUSE-SU-2020:0103-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1121032
CVE References: CVE-2015-9275
Sources used:
openSUSE Leap 15.1 (src):    arc-5.21q-lp151.3.3.1
openSUSE Backports SLE-15-SP1 (src):    arc-5.21q-bp151.4.3.1
openSUSE Backports SLE-15 (src):    arc-5.21q-bp150.2.3.1