Bug 959434 - libbluray (MountManager): Directory traversal when expanding certain JAR files
Summary: libbluray (MountManager): Directory traversal when expanding certain JAR files
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 959238 1381796 1381797
Blocks: 959437
TreeView+ depends on / blocked
 
Reported: 2013-05-03 13:15 UTC by Jan Lieskovsky
Modified: 2019-09-29 13:04 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-10-05 04:47:55 UTC


Attachments (Terms of Use)

Description Jan Lieskovsky 2013-05-03 13:15:52 UTC
A directory traversal flaw was found in the way the MountManager class implementation of libbluray, a library to access Blu-Ray disks for video playback, performed expansion of certain JAR archives / files. An attacker could provide a specially-crafted JAR file that, when expanded by the MountManager, could lead to file system entries / directory traversal (possibly leading to their ability [in a destructive way] to overwrite arbitrary file, accessible with the privileges of the user running the application utilizing the libbluray library).

This issue was discovered by Florian Weimer of Red Hat Product Security Team.

Comment 1 Jan Lieskovsky 2013-05-03 13:18:27 UTC
This issue affects the versions of the libbluray package, as shipped with Fedora release of 17, 18, and Fedora EPEL-6.

Comment 2 Kurt Seifried 2015-02-23 02:33:00 UTC
From the original report by Florian Weimer:

The other problem is that this code further below does not guard against directory traversal attacks from a malicious JAR file:

                File out = new File(tmpDir + File.separator + entry.getName());
                
                if (entry.isDirectory()) {
                    out.mkdir();
                } else {
                    InputStream inStream = jar.getInputStream(entry);
                    OutputStream outStream = new FileOutputStream(out);
                    
                    while (inStream.available() > 0) {
                        outStream.write(inStream.read());
                    }
                    
                    inStream.close();
                    outStream.close();
                }

Comment 3 Doran Moppert 2016-10-05 04:46:46 UTC
Created libbluray tracking bugs for this issue:

Affects: fedora-all [bug 1381796]
Affects: epel-6 [bug 1381797]

Comment 4 Xavier Bachelot 2018-08-02 16:05:15 UTC
I'm confused on the status of this bug. It was closed as NOTABUG, but there was no comment as to why. Is the issue still current or not ?
Fedora has a newer version than EL7, so I guess its' not affected (https://bugzilla.redhat.com/show_bug.cgi?id=1381796).
EPEL6 might still have the issue as the version is earlier than EL7 and wasn't updated due to soname bump (https://bugzilla.redhat.com/show_bug.cgi?id=1381797).

Comment 5 Doran Moppert 2018-08-03 01:34:54 UTC
The NOTABUG status reflects Red Hat products (EL7 in this case).  In "Depends On", you can see bugs were filed for Fedora and EPEL respectively.


Note You need to log in before you can comment on or make changes to this bug.