oss-security - Re: jar(1) -- directory traversal

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [day] [month] [year] [list]

Message-ID: <20150415075549.GA10766@pisco.westfalen.local>
Date: Wed, 15 Apr 2015 09:55:49 +0200
From: Moritz Muehlenhoff <jmm@...ian.org>
To: oss-security@...ts.openwall.com
Cc: cherepan@...me.ru
Subject: Re: jar(1) -- directory traversal

On Fri, Jan 16, 2015 at 06:03:55AM +0300, Alexander Cherepanov wrote:
> Hi!
> 
> jar(1) in Debian jessie (openjdk-7-jdk 7u71-2.5.3-2) is susceptible to a
> directory traversal vulnerability via absolute and relative paths. Other
> distros could also be interested in this issue.
> 
> Initial report:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774953
> 
> Not sure if this is just CVE-2005-1080 not fixed or something else. But
> please note that CVE-2005-1080 talks about .. only.
> 
> Debian security team forwarded the report to Oracle Security Team at
> 2015-01-12 11:01 +0100. Thanks!

This appears to have been fixed in the recent Java CPU and was assigned
CVE-2015-0480:
http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html

Cheers,
        Moritz

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.