CVE-2015-0557

NameCVE-2015-0557
DescriptionOpen-source ARJ archiver 3.10.22 does not properly remove leading slashes from paths, which allows remote attackers to conduct absolute path traversal attacks and write to arbitrary files via multiple leading slashes in a path in an ARJ archive.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-188-1, DSA-3213-1
Debian Bugs774435

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
arj (PTS)buster3.10.22-18fixed
bullseye3.10.22-24fixed
bookworm3.10.22-26fixed
sid, trixie3.10.22-27fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
arjsourcesqueeze3.10.22-9+deb6u1DLA-188-1
arjsourcewheezy3.10.22-10+deb7u1DSA-3213-1
arjsource(unstable)3.10.22-13low774435
Search for package or bug name: Reporting problems