fastjar contains the following security problem: When a JAR archive is extracted with filenames with "../" inside, it can extract files outside of the current directory (a so called directory traversal). Unconspicious users unpacking such files could overwrite their own files, or even system files when being root. I am attaching a sample "cups.jar" from an earlier CUPS tarball, which exposes this problem.
Created attachment 92619 [details, diff] patch to fix directory traversal patch grabbed from here http://gcc.gnu.org/bugzilla/attachment.cgi?id=11904
please provide a fixed ebuild, thanks
toolchain, any news on this one?
this will be included in gcc-4.1.1-r2 and higher should we bother with a GLSA ?
According to policy we should vote an GLSA release. Personally I would vote NO.
Hm. I tend to vote no, too (although I usually take directory traversals seriously, especially since Gentoo's a prime target in this very case ^^).
yes, but i thought in general we are not going to do GLSAs for toolchain
SpanKY any news on this one? I'm still awaiting answer to my mail to security@ before I can upgrade policy wrt toolchain. I'll just resend it now.
what are you talking about ? i gave you your news in comment #4
SpanKY is gcc-4.1.1-r2 ready for stable marking?
i was going to put it into ~arch in the next week but i still dont see much point in pushing this into stable as it's part of our toolchain
SpanKY I've been asking on -security for clarification on the toolchain issue. Could you please answer to that mail and we can get this bug closed?
i responded when you first sent out the e-mail
gcc-4.1.1-r3 is stable and this bug is obsolete, feel free to reopen if you disagree