Bug 606442 (CVE-2005-1080) - CVE-2005-1080 jar: directory traversal vulnerability
Summary: CVE-2005-1080 jar: directory traversal vulnerability
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2005-1080
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 1180589 (view as bug list)
Depends On: 601816 601824
Blocks: 1180590 1209063
TreeView+ depends on / blocked
 
Reported: 2010-06-21 15:52 UTC by Vincent Danen
Modified: 2021-02-24 22:56 UTC (History)
13 users (show)

Fixed In Version: IcedTea6 1.13.7, IcedTea7 2.5.5
Doc Type: Bug Fix
Doc Text:
A directory traversal flaw was found in the way the jar tool extracted JAR archive files. A specially crafted JAR archive could cause jar to overwrite arbitrary files writable by the user running jar when the archive was extracted.
Clone Of:
Environment:
Last Closed: 2015-05-20 20:39:37 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0806 0 normal SHIPPED_LIVE Critical: java-1.7.0-openjdk security update 2015-04-15 20:54:17 UTC
Red Hat Product Errata RHSA-2015:0807 0 normal SHIPPED_LIVE Important: java-1.7.0-openjdk security update 2015-04-15 00:18:32 UTC
Red Hat Product Errata RHSA-2015:0808 0 normal SHIPPED_LIVE Important: java-1.6.0-openjdk security update 2015-04-15 20:44:55 UTC
Red Hat Product Errata RHSA-2015:0809 0 normal SHIPPED_LIVE Important: java-1.8.0-openjdk security update 2015-04-15 19:15:09 UTC
Red Hat Product Errata RHSA-2015:0854 0 normal SHIPPED_LIVE Critical: java-1.8.0-oracle security update 2017-12-15 15:34:03 UTC
Red Hat Product Errata RHSA-2015:0857 0 normal SHIPPED_LIVE Critical: java-1.7.0-oracle security update 2017-12-15 15:35:29 UTC
Red Hat Product Errata RHSA-2015:0858 0 normal SHIPPED_LIVE Important: java-1.6.0-sun security update 2017-12-15 15:32:13 UTC
Red Hat Product Errata RHSA-2015:1006 0 normal SHIPPED_LIVE Critical: java-1.6.0-ibm security update 2015-05-13 17:34:08 UTC
Red Hat Product Errata RHSA-2015:1007 0 normal SHIPPED_LIVE Critical: java-1.7.0-ibm security update 2015-05-13 17:33:04 UTC
Red Hat Product Errata RHSA-2015:1020 0 normal SHIPPED_LIVE Critical: java-1.7.1-ibm security update 2015-05-20 23:05:51 UTC
Red Hat Product Errata RHSA-2015:1021 0 normal SHIPPED_LIVE Important: java-1.5.0-ibm security update 2015-05-20 22:36:22 UTC
Red Hat Product Errata RHSA-2015:1091 0 normal SHIPPED_LIVE Low: Red Hat Satellite IBM Java Runtime security update 2015-06-11 17:21:29 UTC

Description Vincent Danen 2010-06-21 15:52:15 UTC
Directory traversal vulnerability in the Java Archive Tool (Jar) utility in J2SE SDK 1.4.2, 1.5 allows remote attackers to write arbitrary files via a .. (dot dot) in filenames in a .jar file.

Initially the directory traversal flaw was reported for fastjar (see bug #594497) but was later found to also affect jar.  The vulnerability in jar was reported in January 2005 but was never corrected upstream (CVE-2005-1080).  Bug #594497 has a test script to determine if the vulnerability is present in jar as well as fastjar.

Comment 2 Vincent Danen 2010-06-21 16:00:23 UTC
Created java-1.6.0-openjdk tracking bugs for this issue

Affects: fedora-all [bug 601824]

Comment 3 Vincent Danen 2010-06-21 16:00:34 UTC
Statement:

(none)

Comment 4 Tomas Hoger 2015-04-14 19:59:39 UTC
*** Bug 1180589 has been marked as a duplicate of this bug. ***

Comment 5 errata-xmlrpc 2015-04-14 20:18:45 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5

Via RHSA-2015:0807 https://rhn.redhat.com/errata/RHSA-2015-0807.html

Comment 6 errata-xmlrpc 2015-04-15 15:16:04 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6

Via RHSA-2015:0809 https://rhn.redhat.com/errata/RHSA-2015-0809.html

Comment 7 errata-xmlrpc 2015-04-15 16:58:00 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6

Via RHSA-2015:0808 https://rhn.redhat.com/errata/RHSA-2015-0808.html

Comment 8 errata-xmlrpc 2015-04-15 16:58:28 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6

Via RHSA-2015:0806 https://rhn.redhat.com/errata/RHSA-2015-0806.html

Comment 9 Tomas Hoger 2015-04-16 12:40:20 UTC
This issue was fixed in Oracle Java SE 6u95, 7u79, and 8u45, released with the Oracle Critical Patch Update - April 2015.  Oracle assigned different / duplicate CVE id for this issue - CVE-2015-0480 (bug 1211504).

http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixJAVA

Comment 11 errata-xmlrpc 2015-04-17 10:29:07 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 7
  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2015:0854 https://rhn.redhat.com/errata/RHSA-2015-0854.html

Comment 12 errata-xmlrpc 2015-04-20 14:08:31 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 5
  Oracle Java for Red Hat Enterprise Linux 7
  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2015:0857 https://rhn.redhat.com/errata/RHSA-2015-0857.html

Comment 13 errata-xmlrpc 2015-04-20 14:28:15 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 5
  Oracle Java for Red Hat Enterprise Linux 7
  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2015:0858 https://rhn.redhat.com/errata/RHSA-2015-0858.html

Comment 14 errata-xmlrpc 2015-05-13 13:33:23 UTC
This issue has been addressed in the following products:

  Supplementary for Red Hat Enterprise Linux 5

Via RHSA-2015:1007 https://rhn.redhat.com/errata/RHSA-2015-1007.html

Comment 15 errata-xmlrpc 2015-05-13 13:35:24 UTC
This issue has been addressed in the following products:

  Supplementary for Red Hat Enterprise Linux 6
  Supplementary for Red Hat Enterprise Linux 5

Via RHSA-2015:1006 https://rhn.redhat.com/errata/RHSA-2015-1006.html

Comment 16 errata-xmlrpc 2015-05-20 18:36:35 UTC
This issue has been addressed in the following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2015:1021 https://rhn.redhat.com/errata/RHSA-2015-1021.html

Comment 17 errata-xmlrpc 2015-05-20 19:06:09 UTC
This issue has been addressed in the following products:

  Supplementary for Red Hat Enterprise Linux 6
  Supplementary for Red Hat Enterprise Linux 7

Via RHSA-2015:1020 https://rhn.redhat.com/errata/RHSA-2015-1020.html

Comment 18 errata-xmlrpc 2015-06-11 13:21:45 UTC
This issue has been addressed in the following products:

  Red Hat Satellite Server v 5.6
  Red Hat Satellite Server v 5.7

Via RHSA-2015:1091 https://rhn.redhat.com/errata/RHSA-2015-1091.html


Note You need to log in before you can comment on or make changes to this bug.