fastjar contains the following security problem:
When a JAR archive is extracted with filenames with "../" inside, it can
extract files outside of the current directory (a so called directory
traversal).
Unconspicious users unpacking such files could overwrite their own files,
or even system files when being root.
I am attaching a sample "cups.jar" from an earlier CUPS tarball, which exposes
this problem.
--
Summary: fastjar directory traversal problem
Product: gcc
Version: 4.1.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: fastjar
AssignedTo: unassigned at gcc dot gnu dot org
ReportedBy: marcus at jet dot franken dot de
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=28359
