Summary: | <app-arch/arj-3.10.22-r5: buffer overflow write access initiated by a size read from a crafted archive (CVE-2015-2782) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | maintainer-needed, mjo |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1196751 | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=535708 | ||
Whiteboard: | B2 [glsa cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 535708 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2015-02-27 08:25:37 UTC
CVE-2015-2782 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2782): Buffer overflow in Open-source ARJ archiver 3.10.22 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted ARJ archive. We have 3.10.22-r5 in tree undergoing stabilization as part of Bug # 535708, is this vulnerability handled by the same build? This is fixed in Debian's 3.10.22-13, which is the version used by our arj-3.10.22-r5 and later. So, I believe this is fixed in the tree already. The older versions are gone, too. Like said in comment #3 we already have a fixed version in tree which went stable via bug 535708. No vulnerable version left so all done. New GLSA created. This issue was resolved and addressed in GLSA 201612-15 at https://security.gentoo.org/glsa/201612-15 by GLSA coordinator Aaron Bauman (b-man). |