Community Packages

Please read this before reporting a bug:
http://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines

Do NOT report bugs when a package is just outdated, or it is in Unsupported. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#44488 - [arj][CVE-2015-0556][CVE-2015-0557][CVE-2015-2782] multiple issues

Attached to Project: Community Packages
Opened by Christian Rebischke (Shibumi) - Tuesday, 07 April 2015, 15:11 GMT
Last edited by Alexander F Rødseth (trontonic) - Wednesday, 22 April 2015, 13:35 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Alexander F Rødseth (trontonic)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Hello,
I am not sure. But our arj package could be vulnerable against one or all new CVEs. There is no new version in the upstream yet. But seems like debian has fixed the issues. Question for the maintainer:'is our arj version vulnerable or not?' I am struggling with the arj versionsnumbers.. arj is on the same version since 2013 and these CVEs are new.

CVE-2015-0556

Jakub Wilk discovered that arj follows symlinks created during
unpacking of an arj archive. A remote attacker could use this flaw
to perform a directory traversal attack if a user or automated
system were tricked into processing a specially crafted arj archive.

CVE-2015-0557

Jakub Wilk discovered that arj does not sufficiently protect from
directory traversal while unpacking an arj archive containing file
paths with multiple leading slashes. A remote attacker could use
this flaw to write to arbitrary files if a user or automated system
were tricked into processing a specially crafted arj archive.

CVE-2015-2782

Jakub Wilk and Guillem Jover discovered a buffer overflow
vulnerability in arj. A remote attacker could use this flaw to cause
an application crash or, possibly, execute arbitrary code with the
privileges of the user running arj.


best regards

Christian Rebischke

archlinux cve monitoring team
This task depends upon

Closed by  Alexander F Rødseth (trontonic)
Wednesday, 22 April 2015, 13:35 GMT
Reason for closing:  Upstream
Additional comments about closing:  Moved to AUR, see https://lists.archlinux.org/pipermail/au r-general/2015-April/030503.html
Comment by Doug Newgard (Scimmia) - Tuesday, 07 April 2015, 15:34 GMT
The last one was already reported in  FS#44411 . The others are new here, though.
Comment by Alexander F Rødseth (trontonic) - Sunday, 19 April 2015, 22:01 GMT
Hi, thanks for reporting. I'll look into this.

Loading...