A directory traversal flaw was found in the way the MountManager class implementation of libbluray, a library to access Blu-Ray disks for video playback, performed expansion of certain JAR archives / files. An attacker could provide a specially-crafted JAR file that, when expanded by the MountManager, could lead to file system entries / directory traversal (possibly leading to their ability [in a destructive way] to overwrite arbitrary file, accessible with the privileges of the user running the application utilizing the libbluray library). This issue was discovered by Florian Weimer of Red Hat Product Security Team.
This issue affects the versions of the libbluray package, as shipped with Fedora release of 17, 18, and Fedora EPEL-6.
From the original report by Florian Weimer: The other problem is that this code further below does not guard against directory traversal attacks from a malicious JAR file: File out = new File(tmpDir + File.separator + entry.getName()); if (entry.isDirectory()) { out.mkdir(); } else { InputStream inStream = jar.getInputStream(entry); OutputStream outStream = new FileOutputStream(out); while (inStream.available() > 0) { outStream.write(inStream.read()); } inStream.close(); outStream.close(); }
Created libbluray tracking bugs for this issue: Affects: fedora-all [bug 1381796] Affects: epel-6 [bug 1381797]
I'm confused on the status of this bug. It was closed as NOTABUG, but there was no comment as to why. Is the issue still current or not ? Fedora has a newer version than EL7, so I guess its' not affected (https://bugzilla.redhat.com/show_bug.cgi?id=1381796). EPEL6 might still have the issue as the version is earlier than EL7 and wasn't updated due to soname bump (https://bugzilla.redhat.com/show_bug.cgi?id=1381797).
The NOTABUG status reflects Red Hat products (EL7 in this case). In "Depends On", you can see bugs were filed for Fedora and EPEL respectively.