From ${URL} : It was reported [1] that ARJ crashes on a crafted ARJ file: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774015 This is actually a security issue, as the invalid pointer in that free is due to a buffer overflow write access initiated by a size read from the processed archive. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
CVE-2015-2782 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2782): Buffer overflow in Open-source ARJ archiver 3.10.22 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted ARJ archive.
We have 3.10.22-r5 in tree undergoing stabilization as part of Bug # 535708, is this vulnerability handled by the same build?
This is fixed in Debian's 3.10.22-13, which is the version used by our arj-3.10.22-r5 and later. So, I believe this is fixed in the tree already. The older versions are gone, too.
Like said in comment #3 we already have a fixed version in tree which went stable via bug 535708. No vulnerable version left so all done. New GLSA created.
This issue was resolved and addressed in GLSA 201612-15 at https://security.gentoo.org/glsa/201612-15 by GLSA coordinator Aaron Bauman (b-man).