Arch Linux

Hello,
I am not sure. But our arj package could be vulnerable against one or all new CVEs. There is no new version in the upstream yet. But seems like debian has fixed the issues. Question for the maintainer:'is our arj version vulnerable or not?' I am struggling with the arj versionsnumbers.. arj is on the same version since 2013 and these CVEs are new.

CVE-2015-0556

Jakub Wilk discovered that arj follows symlinks created during
unpacking of an arj archive. A remote attacker could use this flaw
to perform a directory traversal attack if a user or automated
system were tricked into processing a specially crafted arj archive.

CVE-2015-0557

Jakub Wilk discovered that arj does not sufficiently protect from
directory traversal while unpacking an arj archive containing file
paths with multiple leading slashes. A remote attacker could use
this flaw to write to arbitrary files if a user or automated system
were tricked into processing a specially crafted arj archive.

CVE-2015-2782

Jakub Wilk and Guillem Jover discovered a buffer overflow
vulnerability in arj. A remote attacker could use this flaw to cause
an application crash or, possibly, execute arbitrary code with the
privileges of the user running arj.


best regards

Christian Rebischke

archlinux cve monitoring team