Debian Security Advisory
DLA-188-1 arj -- LTS security update
- Date Reported:
- 08 Apr 2015
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 774015, Bug 774434, Bug 774435.
In Mitre's CVE dictionary: CVE-2015-0556, CVE-2015-0557, CVE-2015-2782.
- More information:
Multiple vulnerabilities have been discovered in arj, an open source version of the arj archiver. The Common Vulnerabilities and Exposures project identifies the following problems:
Jakub Wilk discovered that arj follows symlinks created during unpacking of an arj archive. A remote attacker could use this flaw to perform a directory traversal attack if a user or automated system were tricked into processing a specially crafted arj archive.
Jakub Wilk discovered that arj does not sufficiently protect from directory traversal while unpacking an arj archive containing file paths with multiple leading slashes. A remote attacker could use this flaw to write to arbitrary files if a user or automated system were tricked into processing a specially crafted arj archive.
Jakub Wilk and Guillem Jover discovered a buffer overflow vulnerability in arj. A remote attacker could use this flaw to cause an application crash or, possibly, execute arbitrary code with the privileges of the user running arj.