Debian Security Advisory

DLA-188-1 arj -- LTS security update

Date Reported:
08 Apr 2015
Affected Packages:
arj
Vulnerable:
Yes
Security database references:
In the Debian bugtracking system: Bug 774015, Bug 774434, Bug 774435.
In Mitre's CVE dictionary: CVE-2015-0556, CVE-2015-0557, CVE-2015-2782.
More information:

Multiple vulnerabilities have been discovered in arj, an open source version of the arj archiver. The Common Vulnerabilities and Exposures project identifies the following problems:

  • CVE-2015-0556

    Jakub Wilk discovered that arj follows symlinks created during unpacking of an arj archive. A remote attacker could use this flaw to perform a directory traversal attack if a user or automated system were tricked into processing a specially crafted arj archive.

  • CVE-2015-0557

    Jakub Wilk discovered that arj does not sufficiently protect from directory traversal while unpacking an arj archive containing file paths with multiple leading slashes. A remote attacker could use this flaw to write to arbitrary files if a user or automated system were tricked into processing a specially crafted arj archive.

  • CVE-2015-2782

    Jakub Wilk and Guillem Jover discovered a buffer overflow vulnerability in arj. A remote attacker could use this flaw to cause an application crash or, possibly, execute arbitrary code with the privileges of the user running arj.