Summary: | <app-arch/fastjar-0.98-r1: directory traversal (CVE-2010-{0831,2322}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Stefan Behte (RETIRED) <craig> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | java |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://launchpad.net/bugs/540575 | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Stefan Behte (RETIRED)
2010-06-25 19:30:57 UTC
Please provide an updated ebuild. CVE-2010-0831 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0831): Directory traversal vulnerability in the extract_jar function in jartool.c in FastJar 0.98 allows remote attackers to create or overwrite arbitrary files via a .. (dot dot) in a non-initial pathname component in a filename within a .jar archive, a related issue to CVE-2005-1080. NOTE: this vulnerability exists because of an incomplete fix for CVE-2006-3619. CVE-2010-2322 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2322): Absolute path traversal vulnerability in the extract_jar function in jartool.c in FastJar 0.98 allows remote attackers to create or overwrite arbitrary files via a full pathname for a file within a .jar archive, a related issue to CVE-2010-0831. NOTE: this vulnerability exists because of an incomplete fix for CVE-2006-3619. Please stabilize app-arch/fastjar-0.98-r1 x86 stable amd64 done ppc64 done Marked ppc stable. GLSA Vote: yes. Vote: YES, glsa request filed. Removed vulnerable version. *fastjar-0.98-r2 (14 Sep 2012) 14 Sep 2012; Ralph Sennhauser <sera@gentoo.org> -fastjar-0.98.ebuild, +fastjar-0.98-r2.ebuild: EAPI bump for Prefix support by Christoph Junghans <ottxor@gentoo.org>. #434782 Remove vulnerable. #325557 This issue was resolved and addressed in GLSA 201209-21 at http://security.gentoo.org/glsa/glsa-201209-21.xml by GLSA coordinator Sean Amoss (ackle). |