Bug 606442 - (CVE-2005-1080) CVE-2005-1080 jar: directory traversal vulnerability
CVE-2005-1080 jar: directory traversal vulnerability
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20050104,reported=2...
: Security
: 1180589 (view as bug list)
Depends On: 601816 601824
Blocks: 1180590 1209063
  Show dependency treegraph
 
Reported: 2010-06-21 11:52 EDT by Vincent Danen
Modified: 2015-07-31 02:28 EDT (History)
13 users (show)

See Also:
Fixed In Version: IcedTea6 1.13.7, IcedTea7 2.5.5
Doc Type: Bug Fix
Doc Text:
A directory traversal flaw was found in the way the jar tool extracted JAR archive files. A specially crafted JAR archive could cause jar to overwrite arbitrary files writable by the user running jar when the archive was extracted.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-05-20 16:39:37 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2010-06-21 11:52:15 EDT
Directory traversal vulnerability in the Java Archive Tool (Jar) utility in J2SE SDK 1.4.2, 1.5 allows remote attackers to write arbitrary files via a .. (dot dot) in filenames in a .jar file.

Initially the directory traversal flaw was reported for fastjar (see bug #594497) but was later found to also affect jar.  The vulnerability in jar was reported in January 2005 but was never corrected upstream (CVE-2005-1080).  Bug #594497 has a test script to determine if the vulnerability is present in jar as well as fastjar.
Comment 2 Vincent Danen 2010-06-21 12:00:23 EDT
Created java-1.6.0-openjdk tracking bugs for this issue

Affects: fedora-all [bug 601824]
Comment 3 Vincent Danen 2010-06-21 12:00:34 EDT
Statement:

(none)
Comment 4 Tomas Hoger 2015-04-14 15:59:39 EDT
*** Bug 1180589 has been marked as a duplicate of this bug. ***
Comment 5 errata-xmlrpc 2015-04-14 16:18:45 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5

Via RHSA-2015:0807 https://rhn.redhat.com/errata/RHSA-2015-0807.html
Comment 6 errata-xmlrpc 2015-04-15 11:16:04 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6

Via RHSA-2015:0809 https://rhn.redhat.com/errata/RHSA-2015-0809.html
Comment 7 errata-xmlrpc 2015-04-15 12:58:00 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6

Via RHSA-2015:0808 https://rhn.redhat.com/errata/RHSA-2015-0808.html
Comment 8 errata-xmlrpc 2015-04-15 12:58:28 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6

Via RHSA-2015:0806 https://rhn.redhat.com/errata/RHSA-2015-0806.html
Comment 9 Tomas Hoger 2015-04-16 08:40:20 EDT
This issue was fixed in Oracle Java SE 6u95, 7u79, and 8u45, released with the Oracle Critical Patch Update - April 2015.  Oracle assigned different / duplicate CVE id for this issue - CVE-2015-0480 (bug 1211504).

http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixJAVA
Comment 11 errata-xmlrpc 2015-04-17 06:29:07 EDT
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 7
  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2015:0854 https://rhn.redhat.com/errata/RHSA-2015-0854.html
Comment 12 errata-xmlrpc 2015-04-20 10:08:31 EDT
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 5
  Oracle Java for Red Hat Enterprise Linux 7
  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2015:0857 https://rhn.redhat.com/errata/RHSA-2015-0857.html
Comment 13 errata-xmlrpc 2015-04-20 10:28:15 EDT
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 5
  Oracle Java for Red Hat Enterprise Linux 7
  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2015:0858 https://rhn.redhat.com/errata/RHSA-2015-0858.html
Comment 14 errata-xmlrpc 2015-05-13 09:33:23 EDT
This issue has been addressed in the following products:

  Supplementary for Red Hat Enterprise Linux 5

Via RHSA-2015:1007 https://rhn.redhat.com/errata/RHSA-2015-1007.html
Comment 15 errata-xmlrpc 2015-05-13 09:35:24 EDT
This issue has been addressed in the following products:

  Supplementary for Red Hat Enterprise Linux 6
  Supplementary for Red Hat Enterprise Linux 5

Via RHSA-2015:1006 https://rhn.redhat.com/errata/RHSA-2015-1006.html
Comment 16 errata-xmlrpc 2015-05-20 14:36:35 EDT
This issue has been addressed in the following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2015:1021 https://rhn.redhat.com/errata/RHSA-2015-1021.html
Comment 17 errata-xmlrpc 2015-05-20 15:06:09 EDT
This issue has been addressed in the following products:

  Supplementary for Red Hat Enterprise Linux 6
  Supplementary for Red Hat Enterprise Linux 7

Via RHSA-2015:1020 https://rhn.redhat.com/errata/RHSA-2015-1020.html
Comment 18 errata-xmlrpc 2015-06-11 09:21:45 EDT
This issue has been addressed in the following products:

  Red Hat Satellite Server v 5.6
  Red Hat Satellite Server v 5.7

Via RHSA-2015:1091 https://rhn.redhat.com/errata/RHSA-2015-1091.html

Note You need to log in before you can comment on or make changes to this bug.