[kaffe] fastjar security issue

Dalibor Topic robilad at kaffe.org
Mon Mar 27 16:28:45 PST 2006

On Mon, 2006-03-27 at 21:25 +0200, Antoine Reilles wrote:
> Hi,

Salut Antoine, hi Tom,

thanks for the bug report.

> The fastjar in kaffe/external/gcc/fastjar has a security problem
> as reported at:
> http://secunia.com/advisories/14902
> There is a problem with input validation that allows to extract files
> to arbitrary locations, using ../ (see the url for more details).

I can confirm that the bug is indeed there in the version of fastjar
distributed in Kaffe 1.1.7. I've tried the steps described in

> I adapted a patch joerg at netbsd.org wrote for the fastjar package in
> pkgsrc to the fastjar in kaffe, adding the necessary input checks to
> avoid that problem.

Thanks! I'd recommend using realpath or canonicalize_file_name, if
available, to do the canonicalisation, rather than writing one's own
function, though. See
for a description. 

I guess you could then simply chop the first char off if it is a file
separator. I am not sure what the POSIX-y way to find out the file
separator char/string is, though.

Just slashing '/'s may not work so well on systems where '\' is the
directory separator, like win32. So I'd recommend going with realpath or

If the patch fixes the issue, please check it in, though. We can improve
on it while the hole is plugged. I need to check if the fastjar code in
gcc has changed between gcc 4.0.2 and 4.0.3/4.1.0.

> Is it right to commit ? Also, a similar fix could be brought to the
> fastjar in gcc

I have not tried the fastjar code in gcc yet. I've fired off a gcc SVN
head build, but I don't know how long it will take. :/

dalibor topic

More information about the kaffe mailing list