From ${URL} : Jakub Wilk reported two directory traversal issues with arj, an archiver for .arj files. There are two issues reported as separate bugs to the Debian BTS: arj: symlink directory traversal: - https://bugs.debian.org/774434 arj: directory traversal via //multiple/leading/slash: - https://bugs.debian.org/774435 Reproducers for both issues are also attached bot the corresponding bugs. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
CVE-2015-0557 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0557): Open-source ARJ archiver 3.10.22 does not properly remove leading slashes from paths, which allows remote attackers to conduct absolute path traversal attacks and write to arbitrary files via multiple leading slashes in a path in an ARJ archive. CVE-2015-0556 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0556): Open-source ARJ archiver 3.10.22 allows remote attackers to conduct directory traversal attacks via a symlink attack in an ARJ archive.
Arch teams, please test and stabilise app-arch/arj-3.10.22-r5. Target KEYWORDS="amd64 ppc sparc x86". Thanks!
amd64 stable
x86 stable
ppc stable
sparc stable. Maintainer(s), please cleanup. Security, please vote.
GLSA Vote: No Cleaned up: https://gitweb.gentoo.org/repo/gentoo.git/commit/?h=python-exec-prefix&id=aea608c70b3f31aa4ca0a40fbd8662a654762f0f
This issue was resolved and addressed in GLSA 201612-15 at https://security.gentoo.org/glsa/201612-15 by GLSA coordinator Aaron Bauman (b-man).