Updated arj packages fix security vulnerabilitiesPublication date: 15 Apr 2015
Affected Mageia releases : 4
CVE: CVE-2015-0556 , CVE-2015-0557 , CVE-2015-2782
Updated arj package fixes security vulnerabilities: ARJ follows symlinks when unpacking stuff, even the symlinks that were created during the same unpack process, making it vulnerable to a directory traversal (CVE-2015-0556). To protect from directory traversals, ARJ strips leading slash from the path when unpacking, but this protection can be easily bypassed by adding more than one leading slash to the path (CVE-2015-0557). ARJ is vulnerable to a buffer overflow when processing a specially crafted arj file (CVE-2015-2782).