Arch Linux Advisory ASA-201502-9 High: Pigz Directory Traversal Risk

The package pigz before version 2.3.3-1 is vulnerable to multiple directory traversal vulnerabilities. That allows remote attackers to write to arbitrary files via a (1) full pathname or (2) .. (dot dot) in an archive.

Arch Linux Security Advisory ASA-201502-9
========================================
Severity: High
Date    : 2015-02-09
CVE-ID  : CVE-2015-1191
Package : pigz
Type    : arbitrary write to files
Remote  : yes
Link    : https://wiki.archlinux.org/title/CVE

Summary
======
The package pigz before version 2.3.3-1 is vulnerable to multiple directory
traversal vulnerabilities. That allows remote attackers to write to
arbitrary files via a (1) full pathname or (2) .. (dot dot) in an archive.

Resolution
=========
Upgrade to 2.3.3-1

# pacman -Syu "pigz>=2.3.3-1"

The problem has been fixed upstream in version 2.3.3.

Workaround
=========
None.

Description
==========
The package pigz before version 2.3.3-1 is vulnerable to multiple directory
traversal vulnerabilities. That allows remote attackers to write to
arbitrary files via a (1) full pathname or (2) .. (dot dot) in an archive.

Impact
=====
A remote attacker is able to write files remotely.

References
=========
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1191