Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 325557 (CVE-2010-0831)

Summary: <app-arch/fastjar-0.98-r1: directory traversal (CVE-2010-{0831,2322})
Product: Gentoo Security Reporter: Stefan Behte (RETIRED) <craig>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: java
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://launchpad.net/bugs/540575
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Stefan Behte (RETIRED) gentoo-dev Security 2010-06-25 19:30:57 UTC
CVE-2010-0831 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0831):
  Directory traversal vulnerability in the extract_jar function in
  jartool.c in FastJar 0.98 allows remote attackers to create or
  overwrite arbitrary files via a .. (dot dot) in a non-initial
  pathname component in a filename within a .jar archive, a related
  issue to CVE-2005-1080.  NOTE: this vulnerability exists because of
  an incomplete fix for CVE-2006-3619.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2010-06-25 19:32:18 UTC
Please provide an updated ebuild.
Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2010-06-25 21:37:08 UTC
CVE-2010-0831 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0831):
  Directory traversal vulnerability in the extract_jar function in
  jartool.c in FastJar 0.98 allows remote attackers to create or
  overwrite arbitrary files via a .. (dot dot) in a non-initial
  pathname component in a filename within a .jar archive, a related
  issue to CVE-2005-1080.  NOTE: this vulnerability exists because of
  an incomplete fix for CVE-2006-3619.

CVE-2010-2322 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2322):
  Absolute path traversal vulnerability in the extract_jar function in
  jartool.c in FastJar 0.98 allows remote attackers to create or
  overwrite arbitrary files via a full pathname for a file within a
  .jar archive, a related issue to CVE-2010-0831.  NOTE: this
  vulnerability exists because of an incomplete fix for CVE-2006-3619.

Comment 3 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2010-06-30 21:49:00 UTC
Please stabilize app-arch/fastjar-0.98-r1
Comment 4 Christian Faulhammer (RETIRED) gentoo-dev 2010-07-01 09:28:28 UTC
x86 stable
Comment 5 Markos Chandras (RETIRED) gentoo-dev 2010-07-04 22:03:51 UTC
amd64 done
Comment 6 Brent Baude (RETIRED) gentoo-dev 2010-07-08 15:54:55 UTC
ppc64 done
Comment 7 Joe Jezak (RETIRED) gentoo-dev 2010-07-19 01:14:27 UTC
Marked ppc stable.
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2010-11-20 16:51:08 UTC
GLSA Vote: yes.
Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2010-11-21 16:36:58 UTC
Vote: YES, glsa request filed.
Comment 10 Ralph Sennhauser (RETIRED) gentoo-dev 2012-09-14 08:16:12 UTC
Removed vulnerable version.

*fastjar-0.98-r2 (14 Sep 2012)

  14 Sep 2012; Ralph Sennhauser <sera@gentoo.org> -fastjar-0.98.ebuild,
  +fastjar-0.98-r2.ebuild:
  EAPI bump for Prefix support by Christoph Junghans <ottxor@gentoo.org>.
  #434782
  Remove vulnerable. #325557
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2012-09-28 00:51:40 UTC
This issue was resolved and addressed in
 GLSA 201209-21 at http://security.gentoo.org/glsa/glsa-201209-21.xml
by GLSA coordinator Sean Amoss (ackle).