Bug#774527: marked as done (arc: directory traversal)

To: Salvatore Bonaccorso <carnil@debian.org>
Subject: Bug#774527: marked as done (arc: directory traversal)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sun, 06 Jan 2019 20:51:11 +0000
Message-id: <[🔎] handler.774527.D774527.154680771532290.ackdone@bugs.debian.org>
Reply-to: 774527@bugs.debian.org
References: <E1ggFLW-0005dK-E0@fasolo.debian.org> <20150103232402.GA4058@jwilk.net>

Your message dated Sun, 06 Jan 2019 20:48:34 +0000
with message-id <E1ggFLW-0005dK-E0@fasolo.debian.org>
and subject line Bug#774527: fixed in arc 5.21q-6
has caused the Debian Bug report #774527,
regarding arc: directory traversal
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
774527: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774527
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: arc: directory traversal
From: Jakub Wilk <jwilk@debian.org>
Date: Sun, 4 Jan 2015 00:24:02 +0100
Message-id: <20150103232402.GA4058@jwilk.net>

Package: arc
Version: 5.21q-1
Tags: security

arc is susceptible to directory traversal:

$ pwd
/home/jwilk

$ arc x traversal.arc
Extracting file: /tmp/moo

$ ls -l /tmp/moo
-rw-r--r-- 1 jwilk users 4 Jan  4  2015 /tmp/moo


The script I used to create the test case is available at:
https://bitbucket.org/jwilk/path-traversal-samples

-- System Information:
Debian Release: 8.0
 APT prefers unstable
 APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages arc depends on:
ii  libc6  2.19-13

--
Jakub Wilk

Attachment: traversal.arc
Description: Binary data

--- End Message ---

--- Begin Message ---

To: 774527-close@bugs.debian.org
Subject: Bug#774527: fixed in arc 5.21q-6
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 06 Jan 2019 20:48:34 +0000
Message-id: <E1ggFLW-0005dK-E0@fasolo.debian.org>

Source: arc
Source-Version: 5.21q-6

We believe that the bug you reported is fixed in the latest version of
arc, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 774527@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated arc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 06 Jan 2019 20:58:58 +0100
Source: arc
Binary: arc
Architecture: source
Version: 5.21q-6
Distribution: unstable
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 774527
Description: 
 arc        - Archive utility based on the MSDOS ARC program
Changes:
 arc (5.21q-6) unstable; urgency=medium
 .
   * QA upload.
   * Fix version 1 arc header reading
   * Fix arcdie crash when called with more then 1 variable argument
   * Fix directory traversal bugs.
     Thanks to Hans de Goede <hdegoede@redhat.com> (Closes: #774527)
Checksums-Sha1: 
 1dc751c69d08451a275a7c9d4556464927ec94b8 1816 arc_5.21q-6.dsc
 65100c93d59dfda9a66d9576b07a8083cbed9f73 6256 arc_5.21q-6.debian.tar.xz
Checksums-Sha256: 
 daf260f63f4c9ded207ab021c8f1ff8fcab866162f4fc865cd01e7cef79647bc 1816 arc_5.21q-6.dsc
 20bc4b7eade21f2a83abea1cb1d5954ae052ba71bed902b4a1e2ded19849dd30 6256 arc_5.21q-6.debian.tar.xz
Files: 
 a5e1917cde13337c33edfce2997b63ba 1816 utils optional arc_5.21q-6.dsc
 a8f7bed0262a03c74d895c4169d73317 6256 utils optional arc_5.21q-6.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlwyYG1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EJ4EP/24YPJy+AVw327p/cfpx9r0Gzu7880Np
+1jivCl9EJeIAC4H+T7UU9Jyw1n1kd36E2UuwG7/MVTe4JRNao6MqJCdjekiZ7zP
pp33qtBZEGDQGD8qsnhxCH7f33kDFaqhN1VzfFUl0myAbcbSZhmNRBczYEEkFohf
iIiVnKSaPm6CRi2LoDho6p/GYOm2eO5MllxFO3fLGlEXBWG7nWwMZIw9fIv2Z2G9
bcdPsxpI1gQWi+XF+MPvpq9F2TXwufLC/ulPqTb7sJbFi9ugodat+s7t0JLlMwDs
SKdeIR/oImLrFhC5/Mf2rcrg2vY/if2YnzipIt3KZS0sr+n6HFwHDt9Cl4KEwv4a
RuD05wRk3Aa69Nz/iqLppy3Sn4PFRdvMzADAR895Fc9COdiDbB6UYq9pafiIoDdZ
vlm/4STOT3ZrRDOHcKaZvVKlGBGrX/j71zIEI2Ua1K7IXWY4ROSf3x0+HhNoFU1q
KqoEivjhIvR4xXuoRANANPCny+FOZwhdE3FORG2bigdHaiGzmMdboxRNKvMXbGBB
vwaP2ntbxLeuDfN8b1m/qg34+yKZ83iAH4yU7TW26gl6s+AA4lKG3ISVTLeQhzNq
jQ/OFgkFSk0cJgskK63LUrsMEJoZSXLA5nlBqoo9RB/FkgGsbJv04wO3BpWmFk9B
oYzQtPmke/vt
=wY4j
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

Prev by Date: Processing of arc_5.21q-6_sourceonly.changes
Next by Date: arc_5.21q-6_sourceonly.changes ACCEPTED into unstable
Previous by thread: Processing of arc_5.21q-6_sourceonly.changes
Next by thread: arc_5.21q-6_sourceonly.changes ACCEPTED into unstable
Index(es):
- Date
- Thread