Mailinglist Archive: opensuse-bugs (6588 mails)

< Previous Next >
[Bug 1143535] New: VUL-1: CVE-2019-14452: sigil: directory traversal may lead to writing arbitrary files in a ZIP archive entry
  • From: bugzilla_noreply@xxxxxxxxxx
  • Date: Wed, 31 Jul 2019 07:00:12 +0000
  • Message-id: <bug-1143535-21960@http.bugzilla.opensuse.org/>
http://bugzilla.opensuse.org/show_bug.cgi?id=1143535


Bug ID: 1143535
Summary: VUL-1: CVE-2019-14452: sigil: directory traversal may
lead to writing arbitrary files in a ZIP archive entry
Classification: openSUSE
Product: openSUSE Distribution
Version: Leap 15.0
Hardware: Other
URL: https://smash.suse.de/issue/238368/
OS: Other
Status: NEW
Severity: Minor
Priority: P5 - None
Component: Security
Assignee: opensuse@xxxxxxxxxxxx
Reporter: atoptsoglou@xxxxxxxx
QA Contact: security-team@xxxxxxx
Found By: Security Response Team
Blocker: ---

CVE-2019-14452

Sigil before 0.9.16 is vulnerable to a directory traversal, allowing attackers
to write arbitrary files via a ../ (dot dot slash) in a ZIP archive entry that
is mishandled during extraction.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14452
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14452
https://github.com/Sigil-Ebook/flightcrew/issues/52#issuecomment-505967936
https://github.com/Sigil-Ebook/Sigil/commit/04e2f280cc4a0766bedcc7b9eb56449ceecc2ad4
https://github.com/Sigil-Ebook/Sigil/compare/ea7f27d...5b867e5
https://github.com/Sigil-Ebook/Sigil/commit/369eebe936e4a8c83cc54662a3412ce8bef189e4
https://github.com/Sigil-Ebook/Sigil/commit/0979ba8d10c96ebca330715bfd4494ea0e019a8f
https://github.com/Sigil-Ebook/Sigil/releases/tag/0.9.16
https://github.com/Sigil-Ebook/flightcrew/issues/52#issuecomment-505997355

--
You are receiving this mail because:
You are on the CC list for the bug.
< Previous Next >
Follow Ups