Support / Security / Advisories / Mandriva Linux 2009.1 / MDVSA-2010:122

Package name: fastjar
Date: 2010-06-22
Advisory ID: MDVSA-2010:122
Affected versions: 2009.0 x86_64 , 2010.0 x86_64 , 2010.0 i586 , 2009.1 i586 , 2009.0 i586 , CS4.0 i586 , 2008.0 x86_64 , CS4.0 x86_64 , 2008.0 i586 , 2009.1 x86_64

Problem description

A vulnerability has been discovered and corrected in fastjar:

Directory traversal vulnerability in the extract_jar function
in jartool.c in FastJar 0.98 allows remote attackers to create
or overwrite arbitrary files via a .. (dot dot) in a non-initial
pathname component in a filename within a .jar archive, a related
issue to CVE-2005-1080. NOTE: this vulnerability exists because of
an incomplete fix for CVE-2006-3619 (CVE-2010-0831).

Packages for 2008.0 and 2009.0 are provided as of the Extended
Maintenance Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490

The updated packages have been patched to correct this issue.

Updated packages

2009.0 x86_64

 a7ec5bded41e309a47f11e58b7ce4294  2009.0/x86_64/fastjar-0.95-3.1mdv2009.0.x86_64.rpm 
 cb1a7db7aa0df9f9cf4fec3c2a2e76f8  2009.0/SRPMS/fastjar-0.95-3.1mdv2009.0.src.rpm

2010.0 x86_64

 8d57e00fa9a90d9f99a80fda6ca93be0  2010.0/x86_64/fastjar-0.98-1.1mdv2010.0.x86_64.rpm 
 0319890b30ed72964f5061e8c668f868  2010.0/SRPMS/fastjar-0.98-1.1mdv2010.0.src.rpm

2010.0 i586

 235889aecb0c352a7fa79a78db132635  2010.0/i586/fastjar-0.98-1.1mdv2010.0.i586.rpm 
 0319890b30ed72964f5061e8c668f868  2010.0/SRPMS/fastjar-0.98-1.1mdv2010.0.src.rpm

2009.1 i586

 c2df3e75f81444460e5bef18bc537a0d  2009.1/i586/fastjar-0.97-1.1mdv2009.1.i586.rpm 
 ea0e50c4339801ef26b3731d381c43a8  2009.1/SRPMS/fastjar-0.97-1.1mdv2009.1.src.rpm

2009.0 i586

 f77fefb84163a9c08ed43444464ca745  2009.0/i586/fastjar-0.95-3.1mdv2009.0.i586.rpm 
 cb1a7db7aa0df9f9cf4fec3c2a2e76f8  2009.0/SRPMS/fastjar-0.95-3.1mdv2009.0.src.rpm

CS4.0 i586

 8ae0be32bc0c26d6a5b4b44b28a8be24  corporate/4.0/i586/gcc-4.0.1-5.4.20060mlcs4.i586.rpm
 79f01b28da32b36221815ecb9c6b0800  corporate/4.0/i586/gcc-c++-4.0.1-5.4.20060mlcs4.i586.rpm
 5d500cfca2c534a9c3dae5285b090921  corporate/4.0/i586/gcc-colorgcc-4.0.1-5.4.20060mlcs4.i586.rpm
 8a3db9618eee24158e715753ab85c87c  corporate/4.0/i586/gcc-cpp-4.0.1-5.4.20060mlcs4.i586.rpm
 e38e095b4a82f6f34185404dd4e24f9d  corporate/4.0/i586/gcc-doc-4.0.1-5.4.20060mlcs4.i586.rpm
 e29739a30fcf203f690809d4d5a1b7dc  corporate/4.0/i586/gcc-doc-pdf-4.0.1-5.4.20060mlcs4.i586.rpm
 a52b298e755784e350671213c048e347  corporate/4.0/i586/gcc-gfortran-4.0.1-5.4.20060mlcs4.i586.rpm
 739f22bac9eff8ff1ce925a35913ec4d  corporate/4.0/i586/gcc-gnat-4.0.1-5.4.20060mlcs4.i586.rpm
 5c6d85c2596ebe896599282d1246ac51  corporate/4.0/i586/gcc-java-4.0.1-5.4.20060mlcs4.i586.rpm
 c58741df491cbe7ec865aa8abfb223b8  corporate/4.0/i586/gcc-objc-4.0.1-5.4.20060mlcs4.i586.rpm
 b3b6f955e048d4c4484cb8abca5b024f  corporate/4.0/i586/gcj-tools-4.0.1-5.4.20060mlcs4.i586.rpm
 7481fccd210e1b05ee680d3b82b1958f  corporate/4.0/i586/libffi4-devel-4.0.1-5.4.20060mlcs4.i586.rpm
 6812a0c08289f467d9d7f87689193f50  corporate/4.0/i586/libgcc1-4.0.1-5.4.20060mlcs4.i586.rpm
 71ec24cb023ea717a873caca52094de7  corporate/4.0/i586/libgcj6-4.0.1-5.4.20060mlcs4.i586.rpm
 cba3e17bf4a6bb4db07e81530e61bbfe  corporate/4.0/i586/libgcj6-base-4.0.1-5.4.20060mlcs4.i586.rpm
 5d2ea3afb4f9ddb67702ccbf3eaf1dc8  corporate/4.0/i586/libgcj6-devel-4.0.1-5.4.20060mlcs4.i586.rpm
 90a2ddd64e638cebc99353e9ed1b9007  corporate/4.0/i586/libgcj6-src-4.0.1-5.4.20060mlcs4.i586.rpm
 e560796ba713a55d72ef46d50dc064a0  corporate/4.0/i586/libgcj6-static-devel-4.0.1-5.4.20060mlcs4.i586.rpm
 fcf35776137fe8b4f2bdd6105a887823  corporate/4.0/i586/libgfortran0-4.0.1-5.4.20060mlcs4.i586.rpm
 ab1cd67788ae4b69544a101f36f5a706  corporate/4.0/i586/libgnat1-4.0.1-5.4.20060mlcs4.i586.rpm
 fecffb2b88e2695a3b88d8f804f020bb  corporate/4.0/i586/libmudflap0-4.0.1-5.4.20060mlcs4.i586.rpm
 40307f8fa9f4e4ba74fd713279ebf76f  corporate/4.0/i586/libmudflap0-devel-4.0.1-5.4.20060mlcs4.i586.rpm
 c834d7ea558059c7c89e0b7d4aac2079  corporate/4.0/i586/libobjc1-4.0.1-5.4.20060mlcs4.i586.rpm
 c5120c50910e9008f2ae6723b5928caa  corporate/4.0/i586/libstdc++6-4.0.1-5.4.20060mlcs4.i586.rpm
 1ca5368024a7bc2a84ab3ed7cd90553a  corporate/4.0/i586/libstdc++6-devel-4.0.1-5.4.20060mlcs4.i586.rpm
 31bc41b0d17d3065f9987efcafb69dd6  corporate/4.0/i586/libstdc++6-static-devel-4.0.1-5.4.20060mlcs4.i586.rpm 
 f418034fdacecb6bc1b7726e56a447dc  corporate/4.0/SRPMS/gcc-4.0.1-5.4.20060mlcs4.src.rpm

2008.0 x86_64

 6d30855f5164f15ada36fb6560d5e98d  2008.0/x86_64/fastjar-0.95-1.1mdv2008.0.x86_64.rpm 
 14db3823db1af8e68f5f5691ca360a4f  2008.0/SRPMS/fastjar-0.95-1.1mdv2008.0.src.rpm

CS4.0 x86_64

 63bfefa0e490a6aa08967adc3a06f925  corporate/4.0/x86_64/gcc-4.0.1-5.4.20060mlcs4.x86_64.rpm
 49eb12c3c36742dc0cb559b5c750b190  corporate/4.0/x86_64/gcc-c++-4.0.1-5.4.20060mlcs4.x86_64.rpm
 c6e9330378e6f1ec70a9354518c7db16  corporate/4.0/x86_64/gcc-colorgcc-4.0.1-5.4.20060mlcs4.x86_64.rpm
 2f8c1cee7fc98bf8f10d543e4c415708  corporate/4.0/x86_64/gcc-cpp-4.0.1-5.4.20060mlcs4.x86_64.rpm
 613fad43e7bb87461dd5bc68f8862038  corporate/4.0/x86_64/gcc-doc-4.0.1-5.4.20060mlcs4.x86_64.rpm
 0bab884d8bdb58c5b3be5496dab428f6  corporate/4.0/x86_64/gcc-doc-pdf-4.0.1-5.4.20060mlcs4.x86_64.rpm
 b69bfa9652946c2707475582c7406d18  corporate/4.0/x86_64/gcc-gfortran-4.0.1-5.4.20060mlcs4.x86_64.rpm
 3f6774d2585a2349661c6fb31c84ab41  corporate/4.0/x86_64/gcc-gnat-4.0.1-5.4.20060mlcs4.x86_64.rpm
 045915b26d3bb9add72f3dd1205418ca  corporate/4.0/x86_64/gcc-java-4.0.1-5.4.20060mlcs4.x86_64.rpm
 b3ca49d5474b61c30b8f5b6a9cbd3840  corporate/4.0/x86_64/gcc-objc-4.0.1-5.4.20060mlcs4.x86_64.rpm
 6514bab1ccc69984b0320c301b39fb50  corporate/4.0/x86_64/gcj-tools-4.0.1-5.4.20060mlcs4.x86_64.rpm
 3abd67ccf72a2bb6b288a6d633f1abf8  corporate/4.0/x86_64/lib64gcj6-4.0.1-5.4.20060mlcs4.x86_64.rpm
 6f7387060f5450d9a4123471b46ee85c  corporate/4.0/x86_64/lib64gcj6-devel-4.0.1-5.4.20060mlcs4.x86_64.rpm
 291e1108c8649f3358f1a2e4fcc2951e  corporate/4.0/x86_64/lib64gcj6-static-devel-4.0.1-5.4.20060mlcs4.x86_64.rpm
 99c3f5dd17599103b36192949d8bef4d  corporate/4.0/x86_64/libffi4-devel-4.0.1-5.4.20060mlcs4.x86_64.rpm
 ee4e4b0d50d243eafb8ca330efb3fa76  corporate/4.0/x86_64/libgcc1-4.0.1-5.4.20060mlcs4.x86_64.rpm
 ed3fab0bb728e81ef2f05712fed3170a  corporate/4.0/x86_64/libgcj6-base-4.0.1-5.4.20060mlcs4.x86_64.rpm
 334fbf494c48521e2d1e6fd25dc04060  corporate/4.0/x86_64/libgcj6-src-4.0.1-5.4.20060mlcs4.x86_64.rpm
 5465686d44c49a4fdb66f12d86463b71  corporate/4.0/x86_64/libgfortran0-4.0.1-5.4.20060mlcs4.x86_64.rpm
 f5a6f8f05eeba6756d0d95392ff2df1b  corporate/4.0/x86_64/libgnat1-4.0.1-5.4.20060mlcs4.x86_64.rpm
 f463eb6f69b9a8476339d12d955d3999  corporate/4.0/x86_64/libmudflap0-4.0.1-5.4.20060mlcs4.x86_64.rpm
 571a27d904dc147513037de3d9750e5d  corporate/4.0/x86_64/libmudflap0-devel-4.0.1-5.4.20060mlcs4.x86_64.rpm
 5d79033dd3213df96acdbc780d8ff749  corporate/4.0/x86_64/libobjc1-4.0.1-5.4.20060mlcs4.x86_64.rpm
 e3fc96bc5b4eb9eeae2abb434dc9cf32  corporate/4.0/x86_64/libstdc++6-4.0.1-5.4.20060mlcs4.x86_64.rpm
 895909a6655f11d782c14a1c482a2851  corporate/4.0/x86_64/libstdc++6-devel-4.0.1-5.4.20060mlcs4.x86_64.rpm
 3148e7eb8d655ec4740d6bc3f2cef9b6  corporate/4.0/x86_64/libstdc++6-static-devel-4.0.1-5.4.20060mlcs4.x86_64.rpm 
 f418034fdacecb6bc1b7726e56a447dc  corporate/4.0/SRPMS/gcc-4.0.1-5.4.20060mlcs4.src.rpm

2008.0 i586

 29cfbaec7e6255eb665bc78192b65bd4  2008.0/i586/fastjar-0.95-1.1mdv2008.0.i586.rpm 
 14db3823db1af8e68f5f5691ca360a4f  2008.0/SRPMS/fastjar-0.95-1.1mdv2008.0.src.rpm

2009.1 x86_64

 acbc81b4f44458db7b3d4e4936f2243d  2009.1/x86_64/fastjar-0.97-1.1mdv2009.1.x86_64.rpm 
 ea0e50c4339801ef26b3731d381c43a8  2009.1/SRPMS/fastjar-0.97-1.1mdv2009.1.src.rpm

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0831