java/115558: linux-sun-jdk-1.6.0.02 is incorrectly marked as
vulnerable
Greg Lewis
glewis at eyesbeyond.com
Wed Aug 15 14:20:07 PDT 2007
The following reply was made to PR ports/115558; it has been noted by GNATS.
From: Greg Lewis <glewis at eyesbeyond.com>
To: Ronald Klop <ronald-freebsd8 at klop.yi.org>
Cc: FreeBSD gnats submit <FreeBSD-gnats-submit at freebsd.org>
Subject: Re: java/115558: linux-sun-jdk-1.6.0.02 is incorrectly marked as vulnerable
Date: Wed, 15 Aug 2007 13:41:51 -0700
The problem is, I think its still vulnerable:
laptop> ls /tmp/test
ls: /tmp/test: No such file or directory
laptop> pwd
/tmp/jar_test
laptop> jar tf bad.jar
META-INF/
META-INF/MANIFEST.MF
java-rmi.cgi
../../../../../../../../../../../../../../tmp/test
laptop> /usr/local/linux-sun-jdk1.6.0/bin/jar xf bad.jar
laptop> ls /tmp/test
/tmp/test
laptop> rm -f /tmp/test
laptop> /usr/local/jdk1.6.0/bin/jar xf bad.jar
ignoring entry ../../../../../../../../../../../../../../tmp/test
laptop> ls /tmp/test
ls: /tmp/test: No such file or directory
laptop>
--
Greg Lewis Email : glewis at eyesbeyond.com
Eyes Beyond Web : http://www.eyesbeyond.com
Information Technology FreeBSD : glewis at FreeBSD.org
More information about the freebsd-java
mailing list