Summary: | <app-arch/arj-3.10.22-r5: two vulnerabilities (CVE-2015-{0556,0557}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | maintainer-needed |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2015/01/03/5 | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=541500 | ||
Whiteboard: | B4 [glsa cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 541500 |
Description
Agostino Sarubbo
2015-01-05 20:18:37 UTC
CVE-2015-0557 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0557): Open-source ARJ archiver 3.10.22 does not properly remove leading slashes from paths, which allows remote attackers to conduct absolute path traversal attacks and write to arbitrary files via multiple leading slashes in a path in an ARJ archive. CVE-2015-0556 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0556): Open-source ARJ archiver 3.10.22 allows remote attackers to conduct directory traversal attacks via a symlink attack in an ARJ archive. Arch teams, please test and stabilise app-arch/arj-3.10.22-r5. Target KEYWORDS="amd64 ppc sparc x86". Thanks! amd64 stable x86 stable ppc stable sparc stable. Maintainer(s), please cleanup. Security, please vote. GLSA Vote: No Cleaned up: https://gitweb.gentoo.org/repo/gentoo.git/commit/?h=python-exec-prefix&id=aea608c70b3f31aa4ca0a40fbd8662a654762f0f This issue was resolved and addressed in GLSA 201612-15 at https://security.gentoo.org/glsa/201612-15 by GLSA coordinator Aaron Bauman (b-man). |