[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#368397: fastjar: CVE-2005-3990: directory traversal vulnerability

Package: fastjar
Version: 1:4.1.0-4
Severity: normal
Tags: security

CVE-2005-3990: "Directory traversal vulnerability in FastJar 0.93 allows
remote attackers to overwrite arbitrary files via a .jar file containing
filenames with "../" sequences."

I can reproduce this with the following steps (modified from an earlier
SUN jar vulnerability report [1]):

$ mkdir /tmp/foo
$ echo hi > /tmp/hi
$ cd /tmp/foo
$ fastjar cvf foo.jar ../hi
adding: META-INF/ (in=0) (out=0) (stored 0%)
adding: META-INF/MANIFEST.MF (in=56) (out=56) (stored 0%)
adding: ../hi (in=3) (out=5) (deflated -66%)
(in = 51) (out = 371) (deflated -627%)
$ rm ../hi
$ fastjar xvf foo.jar
   created: META-INF/
  inflated: ../hi
$ cat ../hi

Please mention the CVE in your changelog.



[1] http://www.securiteam.com/securitynews/5IP0C0AFGW.html

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/dash
Kernel: Linux 2.6.16-alec-laptop
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages fastjar depends on:
ii  libc6                         2.3.6-9    GNU C Library: Shared libraries
ii  zlib1g                        1:1.2.3-11 compression library - runtime

fastjar recommends no packages.

-- no debconf information

Reply to: