-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2015.0851
                            arj security update
                               7 April 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           arj
Publisher:         Debian
Operating System:  Debian GNU/Linux 7
                   UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Modify Arbitrary Files          -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
                   Access Confidential Data        -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-2782 CVE-2015-0557 CVE-2015-0556

Original Bulletin: 
   http://www.debian.org/security/2015/dsa-3213

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running arj check for an updated version of the software for their 
         operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3213-1                   security@debian.org
http://www.debian.org/security/                      Salvatore Bonaccorso
April 06, 2015                         http://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : arj
CVE ID         : CVE-2015-0556 CVE-2015-0557 CVE-2015-2782
Debian Bug     : 774015 774434 774435

Multiple vulnerabilities have been discovered in arj, an open source
version of the arj archiver. The Common Vulnerabilities and Exposures
project identifies the following problems:

CVE-2015-0556

    Jakub Wilk discovered that arj follows symlinks created during
    unpacking of an arj archive. A remote attacker could use this flaw
    to perform a directory traversal attack if a user or automated
    system were tricked into processing a specially crafted arj archive.

CVE-2015-0557

    Jakub Wilk discovered that arj does not sufficiently protect from
    directory traversal while unpacking an arj archive containing file
    paths with multiple leading slashes. A remote attacker could use
    this flaw to write to arbitrary files if a user or automated system
    were tricked into processing a specially crafted arj archive.

CVE-2015-2782

    Jakub Wilk and Guillem Jover discovered a buffer overflow
    vulnerability in arj. A remote attacker could use this flaw to cause
    an application crash or, possibly, execute arbitrary code with the
    privileges of the user running arj.

For the stable distribution (wheezy), these problems have been fixed in
version 3.10.22-10+deb7u1.

For the upcoming stable distribution (jessie), these problems have been
fixed in version 3.10.22-13.

For the unstable distribution (sid), these problems have been fixed in
version 3.10.22-13.

We recommend that you upgrade your arj packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJVIqmXAAoJEAVMuPMTQ89EMK0P/2Z3eH2mGbPlSWRFMnEMBtXb
wCIyjp2wIl3AOmcWCcCjb2DRft2ICvWrutEwKrCgw3o1Jh7Pomr5V/O6cd1yDIWO
7C/lGu3U2Ot574tPOkmD89yWaMi/bfezl47v8mvdQlV1VgxRb8DS8zbccvEH8u8V
OzbWn95ncpsYdb+T8Ls60uRDJnnXifvJySpljdpWX3yY37yMXsCcvQQhM79SrNAF
spgKSyMFq+/qFfIMSlYO9R8hBl9LoH1GBBdhORjilWUhuokEweAmZTGVGE79pegy
+OQxwZXu/KdB8yzeREG86RDm44HHGxhAqexRahXtWK9KrsvXCJnIOmwHgLnHQCjy
E+frNlufe+S8sFCyEwB4sek4twYEhH/poPgKGH/paUlhvBt3bpiN89cDvKZb+cLl
/TgGfM0bcQrXtg7ytBFmA+PAjEgzJWKNl0yFdvnrJuMVGAszLTLnCyNw/xr7uZqq
7W8YgAcCuMltDyJ4MhkXowF99hDD6bqmVva1EnEKBebW6Vb5KAwSC3klRGRb9OS+
lO7EzDxqVCg3Ya7KDNNtSlnrTjGzudPPn9mHDohtzl/tJL3v9ayLCn9eBOa6v1Cx
SiFjSOq642IZVXdRX0XCTElh/Uu083k3+2jT4sO3pU+lB/lPYnpd5aRvZ1FxzPwf
+akzkq+Z1kP/Wzqks/7R
=hJhg
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVSM9iRLndAQH1ShLAQJW4Q/+KD8V4CxaBhgo1/GgUesDFC3xCnGEon9q
h9gwpXYN0i5TyzlZWrJVdpCJkcuVlK4o9b7gbEV02setNRvBbHwRn2gdMdyumBcv
fdBHIL7b3xClzJFqWMdD6KTPOaqLjX3F+OEd9TxjsIzt/sZfDW14tWG682Eseivc
DgkWTiqOjrEXBKQeOP1JO1y7mALW0JUC5XCnoCNVyCz5XK9QK0d3rFXWgCNNcBcQ
tTSOllE1MUBaqqYbPjBfu1vOZv+pYaSGQmWxDHJ10xrXt9yPQmJR4jWMC5A+WYPF
hKPmeOCn2F1foPJfLcdgC0EUz0uAnWBpLHAz4rElYQRRQra3L6ctQTsXjQixAKBN
KYOiohqnEM15TlykEwhjPpSnLqRLRjQM39+nklqLaH9Asu0Ql22zOlE/cmNWMnep
96Km5HPov7zeoc9fO1Ip7TMH34+U0Jr3yzC03uC5mnnrc7PX6qAgnNzcsV9X81qw
5baU+Mc8w/MEOG1+p5lQunxK9/64TpReI3t72hs/nE9pRTp5zgSYcGwhzhZGO8oq
KeaivfkFayX9ivSLn3sxH0/PK32ST/RWSRrnnE6BdI/FMo1PhyV17y4nb3VN5zYd
ynGdYc3lZSMgZbkpV0wwhckyLk5DlIzYB7PAIjmF5sQKvAq2L4VJYzOniPA4N0wO
wthb+Zc+lOg=
=lE2b
-----END PGP SIGNATURE-----