Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.0851 arj security update 7 April 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: arj Publisher: Debian Operating System: Debian GNU/Linux 7 UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Modify Arbitrary Files -- Remote with User Interaction Denial of Service -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2015-2782 CVE-2015-0557 CVE-2015-0556 Original Bulletin: http://www.debian.org/security/2015/dsa-3213 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running arj check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-3213-1 security@debian.org http://www.debian.org/security/ Salvatore Bonaccorso April 06, 2015 http://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : arj CVE ID : CVE-2015-0556 CVE-2015-0557 CVE-2015-2782 Debian Bug : 774015 774434 774435 Multiple vulnerabilities have been discovered in arj, an open source version of the arj archiver. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2015-0556 Jakub Wilk discovered that arj follows symlinks created during unpacking of an arj archive. A remote attacker could use this flaw to perform a directory traversal attack if a user or automated system were tricked into processing a specially crafted arj archive. CVE-2015-0557 Jakub Wilk discovered that arj does not sufficiently protect from directory traversal while unpacking an arj archive containing file paths with multiple leading slashes. A remote attacker could use this flaw to write to arbitrary files if a user or automated system were tricked into processing a specially crafted arj archive. CVE-2015-2782 Jakub Wilk and Guillem Jover discovered a buffer overflow vulnerability in arj. A remote attacker could use this flaw to cause an application crash or, possibly, execute arbitrary code with the privileges of the user running arj. For the stable distribution (wheezy), these problems have been fixed in version 3.10.22-10+deb7u1. For the upcoming stable distribution (jessie), these problems have been fixed in version 3.10.22-13. For the unstable distribution (sid), these problems have been fixed in version 3.10.22-13. We recommend that you upgrade your arj packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJVIqmXAAoJEAVMuPMTQ89EMK0P/2Z3eH2mGbPlSWRFMnEMBtXb wCIyjp2wIl3AOmcWCcCjb2DRft2ICvWrutEwKrCgw3o1Jh7Pomr5V/O6cd1yDIWO 7C/lGu3U2Ot574tPOkmD89yWaMi/bfezl47v8mvdQlV1VgxRb8DS8zbccvEH8u8V OzbWn95ncpsYdb+T8Ls60uRDJnnXifvJySpljdpWX3yY37yMXsCcvQQhM79SrNAF spgKSyMFq+/qFfIMSlYO9R8hBl9LoH1GBBdhORjilWUhuokEweAmZTGVGE79pegy +OQxwZXu/KdB8yzeREG86RDm44HHGxhAqexRahXtWK9KrsvXCJnIOmwHgLnHQCjy E+frNlufe+S8sFCyEwB4sek4twYEhH/poPgKGH/paUlhvBt3bpiN89cDvKZb+cLl /TgGfM0bcQrXtg7ytBFmA+PAjEgzJWKNl0yFdvnrJuMVGAszLTLnCyNw/xr7uZqq 7W8YgAcCuMltDyJ4MhkXowF99hDD6bqmVva1EnEKBebW6Vb5KAwSC3klRGRb9OS+ lO7EzDxqVCg3Ya7KDNNtSlnrTjGzudPPn9mHDohtzl/tJL3v9ayLCn9eBOa6v1Cx SiFjSOq642IZVXdRX0XCTElh/Uu083k3+2jT4sO3pU+lB/lPYnpd5aRvZ1FxzPwf +akzkq+Z1kP/Wzqks/7R =hJhg - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVSM9iRLndAQH1ShLAQJW4Q/+KD8V4CxaBhgo1/GgUesDFC3xCnGEon9q h9gwpXYN0i5TyzlZWrJVdpCJkcuVlK4o9b7gbEV02setNRvBbHwRn2gdMdyumBcv fdBHIL7b3xClzJFqWMdD6KTPOaqLjX3F+OEd9TxjsIzt/sZfDW14tWG682Eseivc DgkWTiqOjrEXBKQeOP1JO1y7mALW0JUC5XCnoCNVyCz5XK9QK0d3rFXWgCNNcBcQ tTSOllE1MUBaqqYbPjBfu1vOZv+pYaSGQmWxDHJ10xrXt9yPQmJR4jWMC5A+WYPF hKPmeOCn2F1foPJfLcdgC0EUz0uAnWBpLHAz4rElYQRRQra3L6ctQTsXjQixAKBN KYOiohqnEM15TlykEwhjPpSnLqRLRjQM39+nklqLaH9Asu0Ql22zOlE/cmNWMnep 96Km5HPov7zeoc9fO1Ip7TMH34+U0Jr3yzC03uC5mnnrc7PX6qAgnNzcsV9X81qw 5baU+Mc8w/MEOG1+p5lQunxK9/64TpReI3t72hs/nE9pRTp5zgSYcGwhzhZGO8oq KeaivfkFayX9ivSLn3sxH0/PK32ST/RWSRrnnE6BdI/FMo1PhyV17y4nb3VN5zYd ynGdYc3lZSMgZbkpV0wwhckyLk5DlIzYB7PAIjmF5sQKvAq2L4VJYzOniPA4N0wO wthb+Zc+lOg= =lE2b -----END PGP SIGNATURE-----