Bug#852029: netbeans: CVE-2016-5537: Import directory traversal
Salvatore Bonaccorso
carnil at debian.org
Fri Jan 20 20:34:16 UTC 2017
Source: netbeans
Version: 8.1+dfsg3-1
Severity: important
Tags: security upstream fixed-upstream
Control: fixed -1 8.2+dfsg1-1
Hi,
the following vulnerability was published for netbeans.
CVE-2016-5537[0]:
| Unspecified vulnerability in the NetBeans component in Oracle Fusion
| Middleware 8.1 allows local users to affect confidentiality,
| integrity, and availability via unknown vectors. NOTE: the previous
| information is from the October 2016 CPU. Oracle has not commented on
| third-party claims that this issue is a directory traversal
| vulnerability which allows local users with certain permissions to
| write to arbitrary files and consequently gain privileges via a ..
| (dot dot) in a archive entry in a ZIP file imported as a project.
There is a POC at [1]. It was apparently fixed in 8.2, which now warns
if a file wants to be written outsite the project root, which can be
confirmed or denied via the dialog.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-5537
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5537
[1] https://marc.info/?l=bugtraq&m=147711715824574&w=2
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list