Debian Long Term Support / LTS Security Information / 2015 / Security Information -- DLA-188-1 arj

Debian Security Advisory

DLA-188-1 arj -- LTS security update

Date Reported:

08 Apr 2015

Affected Packages:

arj

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 774015, Bug 774434, Bug 774435.
In Mitre's CVE dictionary: CVE-2015-0556, CVE-2015-0557, CVE-2015-2782.

More information:

Multiple vulnerabilities have been discovered in arj, an open source version of the arj archiver. The Common Vulnerabilities and Exposures project identifies the following problems:

• CVE-2015-0556

  Jakub Wilk discovered that arj follows symlinks created during unpacking of an arj archive. A remote attacker could use this flaw to perform a directory traversal attack if a user or automated system were tricked into processing a specially crafted arj archive.

• CVE-2015-0557

  Jakub Wilk discovered that arj does not sufficiently protect from directory traversal while unpacking an arj archive containing file paths with multiple leading slashes. A remote attacker could use this flaw to write to arbitrary files if a user or automated system were tricked into processing a specially crafted arj archive.

• CVE-2015-2782

  Jakub Wilk and Guillem Jover discovered a buffer overflow vulnerability in arj. A remote attacker could use this flaw to cause an application crash or, possibly, execute arbitrary code with the privileges of the user running arj.