From owner-freebsd-java@FreeBSD.ORG  Wed Aug 15 21:10:07 2007
Return-Path: <owner-freebsd-java@FreeBSD.ORG>
Delivered-To: freebsd-java@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B37C116A417
	for <freebsd-java@hub.freebsd.org>;
	Wed, 15 Aug 2007 21:10:07 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id 9FD1313C469
	for <freebsd-java@hub.freebsd.org>;
	Wed, 15 Aug 2007 21:10:07 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id l7FLA793085315
	for <freebsd-java@freefall.freebsd.org>; Wed, 15 Aug 2007 21:10:07 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.1/8.14.1/Submit) id l7FLA7OR085313;
	Wed, 15 Aug 2007 21:10:07 GMT (envelope-from gnats)
Date: Wed, 15 Aug 2007 21:10:07 GMT
Message-Id: <200708152110.l7FLA7OR085313@freefall.freebsd.org>
To: freebsd-java@FreeBSD.org
From: "Ronald Klop" <ronald-freebsd8@klop.yi.org>
Cc: 
Subject: Re: java/115558: linux-sun-jdk-1.6.0.02 is incorrectly marked as
	vulnerable
X-BeenThere: freebsd-java@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Ronald Klop <ronald-freebsd8@klop.yi.org>
List-Id: Porting Java to FreeBSD <freebsd-java.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-java>,
	<mailto:freebsd-java-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-java>
List-Post: <mailto:freebsd-java@freebsd.org>
List-Help: <mailto:freebsd-java-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-java>,
	<mailto:freebsd-java-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Aug 2007 21:10:07 -0000

The following reply was made to PR ports/115558; it has been noted by GNATS.

From: "Ronald Klop" <ronald-freebsd8@klop.yi.org>
To: "Greg Lewis" <glewis@eyesbeyond.com>
Cc: "FreeBSD gnats submit" <FreeBSD-gnats-submit@freebsd.org>
Subject: Re: java/115558: linux-sun-jdk-1.6.0.02 is incorrectly marked as vulnerable
Date: Wed, 15 Aug 2007 23:00:24 +0200

 On Wed, 15 Aug 2007 22:41:51 +0200, Greg Lewis <glewis@eyesbeyond.com>  
 wrote:
 
 > The problem is, I think its still vulnerable:
 >
 > laptop> ls /tmp/test
 > ls: /tmp/test: No such file or directory
 > laptop> pwd
 > /tmp/jar_test
 > laptop> jar tf bad.jar
 > META-INF/
 > META-INF/MANIFEST.MF
 > java-rmi.cgi
 > ../../../../../../../../../../../../../../tmp/test
 > laptop> /usr/local/linux-sun-jdk1.6.0/bin/jar xf bad.jar
 > laptop> ls /tmp/test
 > /tmp/test
 > laptop> rm -f /tmp/test
 > laptop> /usr/local/jdk1.6.0/bin/jar xf bad.jar
 > ignoring entry ../../../../../../../../../../../../../../tmp/test
 > laptop> ls /tmp/test
 > ls: /tmp/test: No such file or directory
 > laptop>
 >
 
 Then please close my PR. Thanks for testing this better than I did.
 
 Ronald.
 
 -- 
   Ronald Klop
   Amsterdam, The Netherlands