From owner-freebsd-java@FreeBSD.ORG  Wed Aug 15 21:20:07 2007
Return-Path: <owner-freebsd-java@FreeBSD.ORG>
Delivered-To: freebsd-java@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id CB59716A417
	for <freebsd-java@hub.freebsd.org>;
	Wed, 15 Aug 2007 21:20:07 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id B055A13C442
	for <freebsd-java@hub.freebsd.org>;
	Wed, 15 Aug 2007 21:20:07 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id l7FLK7AM085581
	for <freebsd-java@freefall.freebsd.org>; Wed, 15 Aug 2007 21:20:07 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.1/8.14.1/Submit) id l7FLK7bO085579;
	Wed, 15 Aug 2007 21:20:07 GMT (envelope-from gnats)
Date: Wed, 15 Aug 2007 21:20:07 GMT
Message-Id: <200708152120.l7FLK7bO085579@freefall.freebsd.org>
To: freebsd-java@FreeBSD.org
From: Greg Lewis <glewis@eyesbeyond.com>
Cc: 
Subject: Re: java/115558: linux-sun-jdk-1.6.0.02 is incorrectly marked as
	vulnerable
X-BeenThere: freebsd-java@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Greg Lewis <glewis@eyesbeyond.com>
List-Id: Porting Java to FreeBSD <freebsd-java.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-java>,
	<mailto:freebsd-java-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-java>
List-Post: <mailto:freebsd-java@freebsd.org>
List-Help: <mailto:freebsd-java-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-java>,
	<mailto:freebsd-java-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Aug 2007 21:20:07 -0000

The following reply was made to PR ports/115558; it has been noted by GNATS.

From: Greg Lewis <glewis@eyesbeyond.com>
To: Ronald Klop <ronald-freebsd8@klop.yi.org>
Cc: FreeBSD gnats submit <FreeBSD-gnats-submit@freebsd.org>
Subject: Re: java/115558: linux-sun-jdk-1.6.0.02 is incorrectly marked as vulnerable
Date: Wed, 15 Aug 2007 13:41:51 -0700

 The problem is, I think its still vulnerable:
 
 laptop> ls /tmp/test
 ls: /tmp/test: No such file or directory
 laptop> pwd
 /tmp/jar_test
 laptop> jar tf bad.jar
 META-INF/
 META-INF/MANIFEST.MF
 java-rmi.cgi
 ../../../../../../../../../../../../../../tmp/test
 laptop> /usr/local/linux-sun-jdk1.6.0/bin/jar xf bad.jar
 laptop> ls /tmp/test
 /tmp/test
 laptop> rm -f /tmp/test
 laptop> /usr/local/jdk1.6.0/bin/jar xf bad.jar
 ignoring entry ../../../../../../../../../../../../../../tmp/test
 laptop> ls /tmp/test
 ls: /tmp/test: No such file or directory
 laptop>                                                        
 
 -- 
 Greg Lewis                          Email   : glewis@eyesbeyond.com
 Eyes Beyond                         Web     : http://www.eyesbeyond.com
 Information Technology              FreeBSD : glewis@FreeBSD.org