Debian Bug report logs -
#774435
arj: CVE-2015-0557: directory traversal via //multiple/leading/slash
Reported by: Jakub Wilk <jwilk@debian.org>
Date: Fri, 2 Jan 2015 17:57:07 UTC
Severity: normal
Tags: security
Found in versions arj/3.10.22-9, arj/3.10.22-10, arj/3.10.22-12
Fixed in versions arj/3.10.22-13, arj/3.10.22-10+deb7u1, arj/3.10.22-9+deb6u1
Done: Thorsten Alteholz <debian@alteholz.de>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, jwilk@debian.org, Guillem Jover <guillem@debian.org>:
Bug#774435; Package arj.
(Fri, 02 Jan 2015 17:57:11 GMT) (full text, mbox, link).
Message #3 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: arj
Version: 3.10.22-12
Tags: security
To protect from directory traversals, ARJ strips leading slash from the
path when unpacking stuff. But this protection can be easily bypassed by
stuffing more than one leading slash to the path:
$ pwd
/home/jwilk
$ arj x traversal-slash-slash.arj
ARJ32 v 3.10, Copyright (c) 1998-2004, ARJ Software Russia. [08 Aug 2014]
Processing archive: traversal-slash-slash.arj
Archive created: 2015-01-02 18:11:00, modified: 2015-01-02 18:11:00
Extracting //tmp/moo to /tmp/moo OK
1 file(s)
$ ls -l /tmp/moo
-rw-r--r-- 1 jwilk jwilk 4 Jan 2 18:11 /tmp/moo
The script I used to create the test case is available at:
https://bitbucket.org/jwilk/path-traversal-samples
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages arj depends on:
ii libc6 2.19-13
--
Jakub Wilk
[traversal-slash-slash.arj (application/octet-stream, attachment)]
Marked as found in versions arj/3.10.22-10.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 02 Jan 2015 21:15:15 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Guillem Jover <guillem@debian.org>:
Bug#774435; Package arj.
(Mon, 05 Jan 2015 17:36:12 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Guillem Jover <guillem@debian.org>.
(Mon, 05 Jan 2015 17:36:12 GMT) (full text, mbox, link).
Message #10 received at 774435@bugs.debian.org (full text, mbox, reply):
Control: retitle -1 arj: CVE-2015-0557: directory traversal via //multiple/leading/slash
Hi,
CVE-2015-0557 was assigned for this issue.
Regards,
Salvatore
Changed Bug title to 'arj: CVE-2015-0557: directory traversal via //multiple/leading/slash' from 'arj: directory traversal via //multiple/leading/slash'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 774435-submit@bugs.debian.org.
(Mon, 05 Jan 2015 17:36:12 GMT) (full text, mbox, link).
Reply sent
to Guillem Jover <guillem@debian.org>:
You have taken responsibility.
(Sat, 28 Mar 2015 04:21:14 GMT) (full text, mbox, link).
Notification sent
to Jakub Wilk <jwilk@debian.org>:
Bug acknowledged by developer.
(Sat, 28 Mar 2015 04:21:14 GMT) (full text, mbox, link).
Message #17 received at 774435-close@bugs.debian.org (full text, mbox, reply):
Source: arj
Source-Version: 3.10.22-13
We believe that the bug you reported is fixed in the latest version of
arj, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 774435@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guillem Jover <guillem@debian.org> (supplier of updated arj package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 28 Mar 2015 04:22:18 +0100
Source: arj
Binary: arj
Architecture: source
Version: 3.10.22-13
Distribution: unstable
Urgency: high
Maintainer: Guillem Jover <guillem@debian.org>
Changed-By: Guillem Jover <guillem@debian.org>
Description:
arj - archiver for .arj files
Closes: 774015 774434 774435
Changes:
arj (3.10.22-13) unstable; urgency=high
.
* Fix buffer overflow from size under user control, causing free() on an
invalid pointer. (Closes: #774015)
* Fix absolute path directory traversal. Fixes CVE-2015-0557.
(Closes: #774435)
* Fix symlink directory traversal. Fixes CVE-2015-0556. (Closes: #774434)
Checksums-Sha1:
57ee5fe96805c416050fd806686c995b1b8799d9 1845 arj_3.10.22-13.dsc
43dbf02ffbcd78a1d408215f63dbf7209eba9634 15904 arj_3.10.22-13.debian.tar.xz
Checksums-Sha256:
f21fc0ac96208eb0a241dd6a64297041799dfe03a10ab55a4625690efd5ae58e 1845 arj_3.10.22-13.dsc
d74588f13a2de780d762d3405b0216a02cf4e55bda4ac4703cab94310ac3ea46 15904 arj_3.10.22-13.debian.tar.xz
Files:
b275600afa1d8303fd2aaeaf1ad218af 1845 utils optional arj_3.10.22-13.dsc
2623eac2713d5d0d116261c1cf707dc8 15904 utils optional arj_3.10.22-13.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJVFidXAAoJELlyvz6krlejBV4QAIot49gZCXUFqJ6GgxnVlptu
dtaH0pdayH3LV3JbgifMEM3cmYiyi9TDipFKTzXK4Od8kWkUDROt583eNUp56R9e
fSgAPWrUS7yEuj4X4GYP0VvHEEQHaE4IX7XBC3R6/T354nICQ7hMi8gqi6oBnA3T
04ZzS0hNPkZDYpmqEvxRHtGW6egVEJQJV6YDN3HOuocTD8lDgTbwpNwPsC9gjMyM
WECc+gdHSMlYBQAZxK8n/jsIfR8C1o4dJ0ot/VGgpN45rCG/fh+ogqYMliDP3T2Z
ZO4iA/q9QkmotNLCFa1+EExg0wMLou4eSY44Te2F4gmbv62jspcdu04OSHvnninv
h4/Y4aJGn3uJduF9/17ME77mJsCZcWxMeIB56G0L1wDjz9E6LJodQbF3qMFDSPmR
yYoONhTdRMFTJ4nLLpgapFZKAVvoSR3hLUpt9dy+RVyrPLmlOH48AhXZtfWuaiSB
cK9dBcsrcLhMRY0sPKedc45TXfAm1MishIMRo56QOt9cZgRKfchdZ06BTt/Q6HmO
j4sE5OPPgK2zNIT7QRA8o4qfGQrazZAmqVPtPyqJmw5UXa04Q4fMKiVh+JMA/gIC
DAOkW90RlHI10/k08RbFJhZPFbNSeCnWUH3oEjEr/E19H951UyMizOxQo1K39KSQ
yOp9s5vHAYO65Apj9BXJ
=bX23
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Mon, 06 Apr 2015 19:51:32 GMT) (full text, mbox, link).
Notification sent
to Jakub Wilk <jwilk@debian.org>:
Bug acknowledged by developer.
(Mon, 06 Apr 2015 19:51:32 GMT) (full text, mbox, link).
Message #22 received at 774435-close@bugs.debian.org (full text, mbox, reply):
Source: arj
Source-Version: 3.10.22-10+deb7u1
We believe that the bug you reported is fixed in the latest version of
arj, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 774435@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated arj package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 03 Apr 2015 20:21:46 +0200
Source: arj
Binary: arj
Architecture: source amd64
Version: 3.10.22-10+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Guillem Jover <guillem@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
arj - archiver for .arj files
Closes: 774015 774434 774435
Changes:
arj (3.10.22-10+deb7u1) wheezy-security; urgency=high
.
* Non-maintainer upload by the Security Team with patches from Guillem Jover
* Fix buffer overflow from size under user control.
This is causing free() on an invalid pointer.
Fixes: CVE-2015-2782 (Closes: #774015)
* Fix absolute path directory traversal.
Fixes: CVE-2015-0557 (Closes: #774435)
* Fix symlink directory traversal.
Fixes: CVE-2015-0556 (Closes: #774434)
Checksums-Sha1:
9fa687d59458d6b2d91998e759e07edc55f3c1df 1868 arj_3.10.22-10+deb7u1.dsc
e8470f480e9eee14906e5485a8898e5c24738c8b 431467 arj_3.10.22.orig.tar.gz
14b9e82b5efcd5dfed26eef9e22421ac4d90b443 13070 arj_3.10.22-10+deb7u1.debian.tar.gz
9c6190f46fde036b3fabcbb063b1199c0b74a680 255620 arj_3.10.22-10+deb7u1_amd64.deb
Checksums-Sha256:
39d9e909a402be3276326e2025b8d131f7057fd9a3430b4c32999cc1bc54b8c0 1868 arj_3.10.22-10+deb7u1.dsc
589e4c9bccc8669e7b6d8d6fcd64e01f6a2c21fe10aad56a83304ecc3b96a7db 431467 arj_3.10.22.orig.tar.gz
98d8447055d7de1f4c651d39617b6092d65facfbe612283fa7d350e5bb64ca45 13070 arj_3.10.22-10+deb7u1.debian.tar.gz
1b354e6a019cb16492302fd7ed3b0bd11d3655928ec230d43cc9940d81807531 255620 arj_3.10.22-10+deb7u1_amd64.deb
Files:
dffa1e4d08a242cb947a0482cee88d4a 1868 utils optional arj_3.10.22-10+deb7u1.dsc
f263bf3cf6d42a8b7e85b4fb514336d3 431467 utils optional arj_3.10.22.orig.tar.gz
ebb6688ad836b69bbea84a50a13abd95 13070 utils optional arj_3.10.22-10+deb7u1.debian.tar.gz
a83fc6974be5ef5c255392d52644b349 255620 utils optional arj_3.10.22-10+deb7u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJVH2xQAAoJEAVMuPMTQ89ENuAQAIxZH7nMiewZwePzarGZK8Ws
cqcy5jyIKGcBPSSIGRFZ8J+cAcRtDigGBIg77gon+BVXckqDSFEow4ExeEi8GNtc
D731Wx0lYCCqEYn6zlIT7qV2Kb/PiRQ01718Pe3732OwaRnV4yn8+5d4352jiqwR
utFVPyQEljfpUqop9wNylRL8mNemJpgkdQFSqVj3z/t98Qmgk34sN13jZ6SEmY4o
fwZiXJA6DOgG33BSM6J0Ww31NWBTu6a0nkjLJWh7tC64kmkozyJ2MpDrwf+ALu0K
9kuyX0jsq3LmdLppro+WAISAW7vHA1Yjf0RceuO47YPFmHcN/qARxYYJ8HTWPM32
QtZ0D9bCM2Ti1W2pUvTz8vtSr3FQJ5jUtxjjMbHgRIHO3RwWdlWnrqBjyY5+jHJQ
6q8Ak9zsIDyhAY+Fx3eXM2KDkqGkhIDrJcIN+vpE9albHbkjnX6QvTJXTvHD19j4
46aIVnfkpn7gmUHlPm5XJtnZCAJRtIV+iZqcSKUwKEBAnlPM8FPDMl59KVsweUXy
a4QT6o9gHnOqC34bvkKV/+4914cjVdWfm5fqZOZpUxXjAmtfa+Jck3c1+NSsKh+r
KCKEJ3HgSLckuwbsSmlcaZ+z/zQ9laoBda4DN7FPS9P5qBDLlb8wv4BiLMjENIaW
YAxREnE2Nq86dZG1g/+5
=PQ65
-----END PGP SIGNATURE-----
Reply sent
to Thorsten Alteholz <debian@alteholz.de>:
You have taken responsibility.
(Wed, 08 Apr 2015 15:51:15 GMT) (full text, mbox, link).
Notification sent
to Jakub Wilk <jwilk@debian.org>:
Bug acknowledged by developer.
(Wed, 08 Apr 2015 15:51:15 GMT) (full text, mbox, link).
Message #27 received at 774435-close@bugs.debian.org (full text, mbox, reply):
Source: arj
Source-Version: 3.10.22-9+deb6u1
We believe that the bug you reported is fixed in the latest version of
arj, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 774435@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thorsten Alteholz <debian@alteholz.de> (supplier of updated arj package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 08 Apr 2015 16:10:46 +0200
Source: arj
Binary: arj
Architecture: source i386
Version: 3.10.22-9+deb6u1
Distribution: squeeze-lts
Urgency: high
Maintainer: Guillem Jover <guillem@debian.org>
Changed-By: Thorsten Alteholz <debian@alteholz.de>
Description:
arj - archiver for .arj files
Closes: 774015 774434 774435
Changes:
arj (3.10.22-9+deb6u1) squeeze-lts; urgency=high
.
* Non-maintainer upload by the Squeeze LTS Team
with patches from Guillem Jover
* Fix buffer overflow from size under user control.
This is causing free() on an invalid pointer.
Fixes: CVE-2015-2782 (Closes: #774015)
* Fix absolute path directory traversal.
Fixes: CVE-2015-0557 (Closes: #774435)
* Fix symlink directory traversal.
Fixes: CVE-2015-0556 (Closes: #774434)
Checksums-Sha1:
be93b4cbe462e534bc7c4ad48266eea5ab2b5e64 1955 arj_3.10.22-9+deb6u1.dsc
e8470f480e9eee14906e5485a8898e5c24738c8b 431467 arj_3.10.22.orig.tar.gz
266b86cd307f515f3b8142cc1bb00dd6389f8874 13165 arj_3.10.22-9+deb6u1.debian.tar.gz
ce3648060f9a343c93e9adc6256f5bd7f702a6e0 222492 arj_3.10.22-9+deb6u1_i386.deb
Checksums-Sha256:
cf5ac26f9e311582cee7823aab72ba3e2af153b0215fc18098475a18501c3f77 1955 arj_3.10.22-9+deb6u1.dsc
589e4c9bccc8669e7b6d8d6fcd64e01f6a2c21fe10aad56a83304ecc3b96a7db 431467 arj_3.10.22.orig.tar.gz
b45594be4cb9d0710197eb09db6aefc4109496ec021e21c52b6656d2f727e30f 13165 arj_3.10.22-9+deb6u1.debian.tar.gz
25112168cd1f3e54cd838f87488e86a3a38b5ac700a55896c1175560fb710fe9 222492 arj_3.10.22-9+deb6u1_i386.deb
Files:
bac9e6b24e15471d9d36c77fafb43e2b 1955 utils optional arj_3.10.22-9+deb6u1.dsc
f263bf3cf6d42a8b7e85b4fb514336d3 431467 utils optional arj_3.10.22.orig.tar.gz
1a9ff7b13dca415970c4aa999e8b4d79 13165 utils optional arj_3.10.22-9+deb6u1.debian.tar.gz
8abf2c1ba2a26f50d572f91ac3abe911 222492 utils optional arj_3.10.22-9+deb6u1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQJ8BAEBCgBmBQJVJTvCXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHFeUP/3aHE9ZzYbbzvOZOK3/Tnccg
2wVa6w1mbKHpZ8gHPc/KICH/W4j4il1v/D2E7higv6WU82tK1HzUNocUaLEULbTH
7NRpilAotpzWvxGtAINFfuttW5ZZ1DFbSZ70wl0N4+KmaTRW6y+P1YkayAgYqVRM
or5CN3pYdIQ68YDETbp9QJnkkms4SnysshGWyNW0AWF4gXI7g1v0A8SmyLAm6HB2
DcNDKyy6jj0KuAwyZhOEoXw6H6GTwDHsr/FDeUo72fqm8MmGyHogi+zGyqx4wu87
Awv+fUON45WTp3UDTO4JkpJTY5EsZ/R5ow08Gl2ulJuVNcjPQgnsyKlryG7Qu18L
rLIg40QNTSR3z3B9wpUG59X3eOCV8wG70RVgFJBqnn4AEnOyUwC1O0/cYYjLuuk/
UTNwme3ve7v/sAf6NvPPhmEJO3Qj8JTgznDLqEAGYGn9K9nP3yXy1FQoM41waGmR
kikCwNluYTnK0QN55nWGvMQjjFMeQt5Nw+HGFBZ5rlneR7HgjtTJsznedsDO9Y4d
dD8Lvd4ynpKb5UX7aACRYAcyNmvXDUrVI0I8pltRWLYupVSzea9N5OeZN4dIAORa
VFypuV0vMc5pqQt0A+6Cr8pCIZopjOgjcs+VCC3pZWe60XvCdd+YQ9aUdL240qW3
KnoGLaGtpxF362NVn8k7
=/I3A
-----END PGP SIGNATURE-----
Marked as found in versions arj/3.10.22-9.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 08 Apr 2015 16:51:05 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 07 May 2015 07:26:40 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:58:45 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon