Your message dated Mon, 04 Feb 2019 21:47:08 +0000 with message-id <e1gqm56-0001lz...@fasolo.debian.org> and subject line Bug#774527: fixed in arc 5.21q-4+deb9u1 has caused the Debian Bug report #774527, regarding arc: CVE-2015-9275: directory traversal to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 774527: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774527 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: arc Version: 5.21q-1 Tags: security arc is susceptible to directory traversal: $ pwd /home/jwilk $ arc x traversal.arc Extracting file: /tmp/moo $ ls -l /tmp/moo -rw-r--r-- 1 jwilk users 4 Jan 4 2015 /tmp/moo The script I used to create the test case is available at: https://bitbucket.org/jwilk/path-traversal-samples -- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (990, 'unstable'), (500, 'experimental') Architecture: i386 (x86_64) Foreign Architectures: amd64 Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages arc depends on: ii libc6 2.19-13 -- Jakub Wilk
traversal.arc
Description: Binary data
--- End Message ---
--- Begin Message ---Source: arc Source-Version: 5.21q-4+deb9u1 We believe that the bug you reported is fixed in the latest version of arc, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 774...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated arc package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 03 Feb 2019 22:39:01 +0100 Source: arc Binary: arc Architecture: source Version: 5.21q-4+deb9u1 Distribution: stretch Urgency: medium Maintainer: Adilson dos Reis <adilsondosr...@yahoo.com.br> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 774527 Description: arc - Archive utility based on the MSDOS ARC program Changes: arc (5.21q-4+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Fix version 1 arc header reading * Fix arcdie crash when called with more then 1 variable argument * Fix directory traversal bugs (CVE-2015-9275) Thanks to Hans de Goede <hdego...@redhat.com> (Closes: #774527) Checksums-Sha1: 2bcd5a31aabf2ebaf80abc64dc8dd7c6fad511b7 1850 arc_5.21q-4+deb9u1.dsc ff84976741f5dcc490f72f95f0d97596d6c8b9f0 6052 arc_5.21q-4+deb9u1.debian.tar.xz Checksums-Sha256: 0b8f102f4c82b9b272f35dfaf4c4f97ceb40998d600908a429ea0a6aac195d60 1850 arc_5.21q-4+deb9u1.dsc bfe0912036fed5a035e508a05d8fe5037c80a9058deea89ae9a4e9132b15d797 6052 arc_5.21q-4+deb9u1.debian.tar.xz Files: 79898e9146c4c05f01eb32062df1682c 1850 utils optional arc_5.21q-4+deb9u1.dsc 79b8d97df74b7e5a79f77ec089c0a51d 6052 utils optional arc_5.21q-4+deb9u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlxXYF5fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89ErigP+gJOD6jLZ5BujbhDpuvcFusFW6U0adM7 QYAEvjKittY5wkTnvT+4t99r0jbG0cQOdBRIJdcORdD5pronLITlh9QN5mGGSe87 UiQBwwaOyRIpfP3NupjNe/hsrP+E+EVaixj/0lKC98vaPLN5WxQQjH4v0fczrCtV V5NNHQQvGyfoeINNgN+u+DtgzP03ZNcbaU+KXgeC4XuMKt/CxL24RZiSuLdbWJxs P/lmAsKjJflSA58AQNnVPE0xbsGJkAYfc2tTZif1zIBayBLbxFyKhSZNFv6jUQ3h 0ylPdILUQqasPq/+01lOd1l6JIgsF3qkmy1Yh/PlRhNxi4x14pEqNMjGha4mPPQB lHBPiAMHob2Nni9NVmZdi0+M54/tsEvXmU8kyZKlFf94Cx45rv+DZ0G7UyXpe0a/ jZzBZVR2fyAIjzsdkhY8BeGazni0Zit+bG81aiQ/RyjYesS5x9SHiEDCMx80K4wZ zcp6t1MaXgBaAQORTu87N2vOzowA16bTphrfy2g8ZZ1N+N+KtKyBykiehBnyYwN0 fghFxX/1AYKwZeR87dv5GGTcjDd9FhbKFAzuqB9dfJJu3yb9cewY5Ypvtr/rCOQF JQ8EnvOWI7bGSnFbSCHfH8YBfMfNyGxxQKPo8ZAN4y6GHo4qY3/qbGREHT7ssF6a jQGmdcy0bALG =gJNt -----END PGP SIGNATURE-----
--- End Message ---
