Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

arc: CVE-2015-9275: directory traversal

Related Vulnerabilities: CVE-2015-9275  

Source

Debian Bug report logs - #774527
arc: CVE-2015-9275: directory traversal

version graph

Package: arc; Maintainer for arc is Debian QA Group <packages@qa.debian.org>; Source for arc is src:arc (PTS, buildd, popcon).

Reported by: Jakub Wilk <jwilk@debian.org>

Date: Sat, 3 Jan 2015 23:27:02 UTC

Severity: grave

Tags: security

Found in versions arc/5.21q-1, arc/5.21p-1

Fixed in versions arc/5.21q-6, arc/5.21q-4+deb9u1

Done: Salvatore Bonaccorso <carnil@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, jwilk@debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#774527; Package arc. (Sat, 03 Jan 2015 23:27:07 GMT) (full text, mbox, link).

Message #3 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jakub Wilk <jwilk@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: arc: directory traversal
Date: Sun, 4 Jan 2015 00:24:02 +0100
[Message part 1 (text/plain, inline)]
Package: arc
Version: 5.21q-1
Tags: security

arc is susceptible to directory traversal:

$ pwd
/home/jwilk

$ arc x traversal.arc
Extracting file: /tmp/moo

$ ls -l /tmp/moo
-rw-r--r-- 1 jwilk users 4 Jan  4  2015 /tmp/moo


The script I used to create the test case is available at:
https://bitbucket.org/jwilk/path-traversal-samples

-- System Information:
Debian Release: 8.0
 APT prefers unstable
 APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages arc depends on:
ii  libc6  2.19-13

-- 
Jakub Wilk

[traversal.arc (application/octet-stream, attachment)]

Marked as found in versions arc/5.21p-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 07 Jan 2015 17:06:04 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#774527; Package arc. (Fri, 16 Jan 2015 15:30:08 GMT) (full text, mbox, link).

Acknowledgement sent to Hans de Goede <hdegoede@redhat.com>:
Extra info received and forwarded to list. Copy sent to Debian QA Group <packages@qa.debian.org>. (Fri, 16 Jan 2015 15:30:08 GMT) (full text, mbox, link).

Message #10 received at 774527@bugs.debian.org (full text, mbox, reply):

From: Hans de Goede <hdegoede@redhat.com>
To: 774527@bugs.debian.org
Subject: Patches fixing arc: directory traversal
Date: Fri, 16 Jan 2015 16:27:36 +0100
[Message part 1 (text/plain, inline)]
Hi,

Attached are 3 patches fixing this, apply order:

arc-5.21p-hdrv1-read-fix.patch
arc-5.21p-fix-arcdie.patch
arc-5.21p-directory-traversel.patch

The first patch really is an unrelated issue I noticed while working on
this, the second patch is a preparation patch and the third patch is
the real fix.

Regards,

Hans


[arc-5.21p-directory-traversel.patch (text/x-patch, attachment)]
[arc-5.21p-fix-arcdie.patch (text/x-patch, attachment)]
[arc-5.21p-hdrv1-read-fix.patch (text/x-patch, attachment)]

Severity set to 'grave' from 'normal' Request was from Moritz Muehlenhoff <jmm@debian.org> to control@bugs.debian.org. (Fri, 04 Jan 2019 22:33:10 GMT) (full text, mbox, link).

Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Sun, 06 Jan 2019 20:51:11 GMT) (full text, mbox, link).

Notification sent to Jakub Wilk <jwilk@debian.org>:
Bug acknowledged by developer. (Sun, 06 Jan 2019 20:51:11 GMT) (full text, mbox, link).

Message #17 received at 774527-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 774527-close@bugs.debian.org
Subject: Bug#774527: fixed in arc 5.21q-6
Date: Sun, 06 Jan 2019 20:48:34 +0000
Source: arc
Source-Version: 5.21q-6

We believe that the bug you reported is fixed in the latest version of
arc, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 774527@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated arc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 06 Jan 2019 20:58:58 +0100
Source: arc
Binary: arc
Architecture: source
Version: 5.21q-6
Distribution: unstable
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 774527
Description: 
 arc        - Archive utility based on the MSDOS ARC program
Changes:
 arc (5.21q-6) unstable; urgency=medium
 .
   * QA upload.
   * Fix version 1 arc header reading
   * Fix arcdie crash when called with more then 1 variable argument
   * Fix directory traversal bugs.
     Thanks to Hans de Goede <hdegoede@redhat.com> (Closes: #774527)
Checksums-Sha1: 
 1dc751c69d08451a275a7c9d4556464927ec94b8 1816 arc_5.21q-6.dsc
 65100c93d59dfda9a66d9576b07a8083cbed9f73 6256 arc_5.21q-6.debian.tar.xz
Checksums-Sha256: 
 daf260f63f4c9ded207ab021c8f1ff8fcab866162f4fc865cd01e7cef79647bc 1816 arc_5.21q-6.dsc
 20bc4b7eade21f2a83abea1cb1d5954ae052ba71bed902b4a1e2ded19849dd30 6256 arc_5.21q-6.debian.tar.xz
Files: 
 a5e1917cde13337c33edfce2997b63ba 1816 utils optional arc_5.21q-6.dsc
 a8f7bed0262a03c74d895c4169d73317 6256 utils optional arc_5.21q-6.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlwyYG1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EJ4EP/24YPJy+AVw327p/cfpx9r0Gzu7880Np
+1jivCl9EJeIAC4H+T7UU9Jyw1n1kd36E2UuwG7/MVTe4JRNao6MqJCdjekiZ7zP
pp33qtBZEGDQGD8qsnhxCH7f33kDFaqhN1VzfFUl0myAbcbSZhmNRBczYEEkFohf
iIiVnKSaPm6CRi2LoDho6p/GYOm2eO5MllxFO3fLGlEXBWG7nWwMZIw9fIv2Z2G9
bcdPsxpI1gQWi+XF+MPvpq9F2TXwufLC/ulPqTb7sJbFi9ugodat+s7t0JLlMwDs
SKdeIR/oImLrFhC5/Mf2rcrg2vY/if2YnzipIt3KZS0sr+n6HFwHDt9Cl4KEwv4a
RuD05wRk3Aa69Nz/iqLppy3Sn4PFRdvMzADAR895Fc9COdiDbB6UYq9pafiIoDdZ
vlm/4STOT3ZrRDOHcKaZvVKlGBGrX/j71zIEI2Ua1K7IXWY4ROSf3x0+HhNoFU1q
KqoEivjhIvR4xXuoRANANPCny+FOZwhdE3FORG2bigdHaiGzmMdboxRNKvMXbGBB
vwaP2ntbxLeuDfN8b1m/qg34+yKZ83iAH4yU7TW26gl6s+AA4lKG3ISVTLeQhzNq
jQ/OFgkFSk0cJgskK63LUrsMEJoZSXLA5nlBqoo9RB/FkgGsbJv04wO3BpWmFk9B
oYzQtPmke/vt
=wY4j
-----END PGP SIGNATURE-----

Changed Bug title to 'arc: CVE-2015-9275: directory traversal' from 'arc: directory traversal'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 07 Jan 2019 18:54:06 GMT) (full text, mbox, link).

Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Mon, 04 Feb 2019 21:51:06 GMT) (full text, mbox, link).

Notification sent to Jakub Wilk <jwilk@debian.org>:
Bug acknowledged by developer. (Mon, 04 Feb 2019 21:51:07 GMT) (full text, mbox, link).

Message #24 received at 774527-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 774527-close@bugs.debian.org
Subject: Bug#774527: fixed in arc 5.21q-4+deb9u1
Date: Mon, 04 Feb 2019 21:47:08 +0000
Source: arc
Source-Version: 5.21q-4+deb9u1

We believe that the bug you reported is fixed in the latest version of
arc, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 774527@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated arc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 03 Feb 2019 22:39:01 +0100
Source: arc
Binary: arc
Architecture: source
Version: 5.21q-4+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: Adilson dos Reis <adilsondosreis@yahoo.com.br>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 774527
Description: 
 arc        - Archive utility based on the MSDOS ARC program
Changes:
 arc (5.21q-4+deb9u1) stretch; urgency=medium
 .
   * Non-maintainer upload.
   * Fix version 1 arc header reading
   * Fix arcdie crash when called with more then 1 variable argument
   * Fix directory traversal bugs (CVE-2015-9275)
     Thanks to Hans de Goede <hdegoede@redhat.com> (Closes: #774527)
Checksums-Sha1: 
 2bcd5a31aabf2ebaf80abc64dc8dd7c6fad511b7 1850 arc_5.21q-4+deb9u1.dsc
 ff84976741f5dcc490f72f95f0d97596d6c8b9f0 6052 arc_5.21q-4+deb9u1.debian.tar.xz
Checksums-Sha256: 
 0b8f102f4c82b9b272f35dfaf4c4f97ceb40998d600908a429ea0a6aac195d60 1850 arc_5.21q-4+deb9u1.dsc
 bfe0912036fed5a035e508a05d8fe5037c80a9058deea89ae9a4e9132b15d797 6052 arc_5.21q-4+deb9u1.debian.tar.xz
Files: 
 79898e9146c4c05f01eb32062df1682c 1850 utils optional arc_5.21q-4+deb9u1.dsc
 79b8d97df74b7e5a79f77ec089c0a51d 6052 utils optional arc_5.21q-4+deb9u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlxXYF5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89ErigP+gJOD6jLZ5BujbhDpuvcFusFW6U0adM7
QYAEvjKittY5wkTnvT+4t99r0jbG0cQOdBRIJdcORdD5pronLITlh9QN5mGGSe87
UiQBwwaOyRIpfP3NupjNe/hsrP+E+EVaixj/0lKC98vaPLN5WxQQjH4v0fczrCtV
V5NNHQQvGyfoeINNgN+u+DtgzP03ZNcbaU+KXgeC4XuMKt/CxL24RZiSuLdbWJxs
P/lmAsKjJflSA58AQNnVPE0xbsGJkAYfc2tTZif1zIBayBLbxFyKhSZNFv6jUQ3h
0ylPdILUQqasPq/+01lOd1l6JIgsF3qkmy1Yh/PlRhNxi4x14pEqNMjGha4mPPQB
lHBPiAMHob2Nni9NVmZdi0+M54/tsEvXmU8kyZKlFf94Cx45rv+DZ0G7UyXpe0a/
jZzBZVR2fyAIjzsdkhY8BeGazni0Zit+bG81aiQ/RyjYesS5x9SHiEDCMx80K4wZ
zcp6t1MaXgBaAQORTu87N2vOzowA16bTphrfy2g8ZZ1N+N+KtKyBykiehBnyYwN0
fghFxX/1AYKwZeR87dv5GGTcjDd9FhbKFAzuqB9dfJJu3yb9cewY5Ypvtr/rCOQF
JQ8EnvOWI7bGSnFbSCHfH8YBfMfNyGxxQKPo8ZAN4y6GHo4qY3/qbGREHT7ssF6a
jQGmdcy0bALG
=gJNt
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 05 Mar 2019 07:27:01 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 13:20:39 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started