Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 535708 (CVE-2015-0556) - <app-arch/arj-3.10.22-r5: two vulnerabilities (CVE-2015-{0556,0557})
Summary: <app-arch/arj-3.10.22-r5: two vulnerabilities (CVE-2015-{0556,0557})
Status: RESOLVED FIXED
Alias: CVE-2015-0556
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B4 [glsa cve]
Keywords:
Depends on:
Blocks: CVE-2015-2782
  Show dependency tree
 
Reported: 2015-01-05 20:18 UTC by Agostino Sarubbo
Modified: 2016-12-06 03:50 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-01-05 20:18:37 UTC
From ${URL} :

Jakub Wilk reported two directory traversal issues with arj, an
archiver for .arj files. There are two issues reported as separate
bugs to the Debian BTS:

arj: symlink directory traversal:
 - https://bugs.debian.org/774434

arj: directory traversal via //multiple/leading/slash:
 - https://bugs.debian.org/774435

Reproducers for both issues are also attached bot the corresponding
bugs.



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2015-06-21 00:12:44 UTC
CVE-2015-0557 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0557):
  Open-source ARJ archiver 3.10.22 does not properly remove leading slashes
  from paths, which allows remote attackers to conduct absolute path traversal
  attacks and write to arbitrary files via multiple leading slashes in a path
  in an ARJ archive.

CVE-2015-0556 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0556):
  Open-source ARJ archiver 3.10.22 allows remote attackers to conduct
  directory traversal attacks via a symlink attack in an ARJ archive.
Comment 2 Michael Palimaka (kensington) gentoo-dev 2015-12-08 16:37:18 UTC
Arch teams, please test and stabilise app-arch/arj-3.10.22-r5.

Target KEYWORDS="amd64 ppc sparc x86".

Thanks!
Comment 3 Agostino Sarubbo gentoo-dev 2015-12-09 10:48:24 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2015-12-25 18:20:17 UTC
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2015-12-26 10:56:04 UTC
ppc stable
Comment 6 Agostino Sarubbo gentoo-dev 2016-01-09 07:11:06 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2016-12-06 03:50:43 UTC
This issue was resolved and addressed in
 GLSA 201612-15 at https://security.gentoo.org/glsa/201612-15
by GLSA coordinator Aaron Bauman (b-man).