Bug#852029: netbeans: CVE-2016-5537: Import directory traversal
Salvatore Bonaccorso
carnil at debian.org
Mon Jan 23 06:23:24 UTC 2017
Hi Markus,
Thanks for looking into the issue.
On Sun, Jan 22, 2017 at 09:28:31PM +0100, Markus Koschany wrote:
> On Fri, 20 Jan 2017 21:34:16 +0100 Salvatore Bonaccorso
> <carnil at debian.org> wrote:
> > Source: netbeans
> > Version: 8.1+dfsg3-1
> > Severity: important
> > Tags: security upstream fixed-upstream
> > Control: fixed -1 8.2+dfsg1-1
> >
> > Hi,
> >
> > the following vulnerability was published for netbeans.
> >
> > CVE-2016-5537[0]:
>
> Hi,
>
> I must admit I have no idea how to fix this in 8.1 because I cannot find
> any information about what specific part of Netbeans is affected and
> whether a minimal patch exists. It is also not clear if 8.2 in
> experimental is affected or not because I had to replace several modules
> with the ones shipped in 8.1 otherwise the package won't even compile.
I agree, upstream has not really provided any usefull information, and
we have somehow to trust Oracle here, that 8.2 contains the fix. I'm
confident, since the 8.2 version gives now a warning, if you try to
import a project from a zip file containing members with "../". But I
was unable to determine the exact code change.
I'm not sure about the options.
1/ try to determine the required changes and backport them to 8.1
ideally, but seems a bit hard.
2/ live with the issue, and once stretch is a stable release mark it
as no-dsa as well there.
3/ Ask release team if having 8.2+dfsg1-1 in stretch, but I guess that
unblock is not feasible anymore now.
4/ something missing?
Regards, and sorry for not beeing more helpfull here,
Salvatore
More information about the pkg-java-maintainers
mailing list