Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 535708 (CVE-2015-0556)

Summary: <app-arch/arj-3.10.22-r5: two vulnerabilities (CVE-2015-{0556,0557})
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: maintainer-needed
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2015/01/03/5
See Also: https://bugs.gentoo.org/show_bug.cgi?id=541500
Whiteboard: B4 [glsa cve]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 541500    

Description Agostino Sarubbo gentoo-dev 2015-01-05 20:18:37 UTC
From ${URL} :

Jakub Wilk reported two directory traversal issues with arj, an
archiver for .arj files. There are two issues reported as separate
bugs to the Debian BTS:

arj: symlink directory traversal:
 - https://bugs.debian.org/774434

arj: directory traversal via //multiple/leading/slash:
 - https://bugs.debian.org/774435

Reproducers for both issues are also attached bot the corresponding
bugs.



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2015-06-21 00:12:44 UTC
CVE-2015-0557 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0557):
  Open-source ARJ archiver 3.10.22 does not properly remove leading slashes
  from paths, which allows remote attackers to conduct absolute path traversal
  attacks and write to arbitrary files via multiple leading slashes in a path
  in an ARJ archive.

CVE-2015-0556 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0556):
  Open-source ARJ archiver 3.10.22 allows remote attackers to conduct
  directory traversal attacks via a symlink attack in an ARJ archive.
Comment 2 Michael Palimaka (kensington) gentoo-dev 2015-12-08 16:37:18 UTC
Arch teams, please test and stabilise app-arch/arj-3.10.22-r5.

Target KEYWORDS="amd64 ppc sparc x86".

Thanks!
Comment 3 Agostino Sarubbo gentoo-dev 2015-12-09 10:48:24 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2015-12-25 18:20:17 UTC
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2015-12-26 10:56:04 UTC
ppc stable
Comment 6 Agostino Sarubbo gentoo-dev 2016-01-09 07:11:06 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2016-12-06 03:50:43 UTC
This issue was resolved and addressed in
 GLSA 201612-15 at https://security.gentoo.org/glsa/201612-15
by GLSA coordinator Aaron Bauman (b-man).