[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 188-1] arj security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : arj
Version        : 3.10.22-9+deb6u1
CVE ID         : CVE-2015-0556 CVE-2015-0557 CVE-2015-2782
Debian Bug     : 774015 774434 774435

Multiple vulnerabilities have been discovered in arj, an open source
version of the arj archiver. The Common Vulnerabilities and Exposures
project identifies the following problems:

CVE-2015-0556

    Jakub Wilk discovered that arj follows symlinks created during
    unpacking of an arj archive. A remote attacker could use this flaw
    to perform a directory traversal attack if a user or automated
    system were tricked into processing a specially crafted arj archive.

CVE-2015-0557

    Jakub Wilk discovered that arj does not sufficiently protect from
    directory traversal while unpacking an arj archive containing file
    paths with multiple leading slashes. A remote attacker could use
    this flaw to write to arbitrary files if a user or automated system
    were tricked into processing a specially crafted arj archive.

CVE-2015-2782

    Jakub Wilk and Guillem Jover discovered a buffer overflow
    vulnerability in arj. A remote attacker could use this flaw to cause
    an application crash or, possibly, execute arbitrary code with the
    privileges of the user running arj.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQJ8BAEBCgBmBQJVJVEeXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHMYAP/ic4WMSgjfftuGb/YNTKPahy
YQwXEE8g5E2uYXrc7XyxvZiPC/CqF+CuadfVICR60PNy7UB4/3Yk0uCyYbz2LPqc
XlBi28yh02l3za6lR9avS9Yp/mHXSi/JoK7eu/XiVE3W4kEdMkftD7C9AYB9gaOS
zKAvVhuyOpC3BNkHafuZuYjhy+Qr7jBg5vVei4x7Ryc0JeRmoSW8yPNZal4+cT/l
27ku/ihEJ4u68qQrvmLm0q9UDHWa2wQTeECToMyIzMiH/z52B1r7qmmpsr2loreg
AMKH2F9QEm/3dtL0Z0/qYILQl8F5Wd+lojcku7YRAniN1F5LidJTuKeTKJi2tAG0
GKrm1e71+9B58aa2s4XwtFAJyL/vO50WzcklxKc8g3aKL4eKygB62kPIB91x5GS1
M1c1OePk8gUxSCMp/IUT9N12qzZq2JFLfR40ELtRFP/5/1lUOBWTmFUAmHpC0Cr+
WQuAyUIPibZlPtZ7kKesqMkR03BFJwBIgpE6ICZkapA5ndXZJB3JIfYaTtGHgPa4
L4AOKZ6WZX6vnPsc+6y5CMUNCVEwhW2d/GThhUT73ToJIEkwCKTIotRVsFw/XC8A
ZBQ8qRmsPSw0ZR1T9Vj/ODUH9U8oIIk7vApBaTZrhwP0taKR2DniDpRKm+HQBmWA
+qs8q1duJAagBIdzsblU
=R816
-----END PGP SIGNATURE-----


Reply to: