Red Hat Bugzilla – Bug 202680
CVE-2006-3619 Directory traversal issue in fastjar
Last modified: 2007-11-30 17:11:40 EST
We ship fastjar in libgcj in FC6test2 which looks vulnerable to this issue
+++ This bug was initially created as a clone of Bug #198912 +++
When unpacking a .JAR archive with filenames with "../../../...." in it,
"fastjar" from GCC will happily unpack in the "../../../...." directory.
(Credits go to Juergen Weigert for finding this.)
The GCC bug report can be found here:
Correct, this is fixed by backported patch gcc41-CVE-2006-3619.patch, I'd missed
this in the initial scan. Thanks!