This is the mail archive of the
gcc-bugs@gcc.gnu.org
mailing list for the GCC project.
[Bug fastjar/28359] New: fastjar directory traversal problem
- From: "marcus at jet dot franken dot de" <gcc-bugzilla at gcc dot gnu dot org>
- To: gcc-bugs at gcc dot gnu dot org
- Date: 12 Jul 2006 14:49:59 -0000
- Subject: [Bug fastjar/28359] New: fastjar directory traversal problem
- Reply-to: gcc-bugzilla at gcc dot gnu dot org
fastjar contains the following security problem:
When a JAR archive is extracted with filenames with "../" inside, it can
extract files outside of the current directory (a so called directory
traversal).
Unconspicious users unpacking such files could overwrite their own files,
or even system files when being root.
I am attaching a sample "cups.jar" from an earlier CUPS tarball, which exposes
this problem.
--
Summary: fastjar directory traversal problem
Product: gcc
Version: 4.1.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: fastjar
AssignedTo: unassigned at gcc dot gnu dot org
ReportedBy: marcus at jet dot franken dot de
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=28359