- Added patch from Debian to avoid free on invalid pointer due to a buffer overflow (#1196751, #1207180)

- Added patch from Debian for symlink directory traversal (#1178824)
- Added patch from Debian to fix the directory traversal via //multiple/leading/slash (#1178824)

arj-3.10.22-security-afl.patch

@@ -0,0 +1,35 @@
+Description: Fix buffer overflow causing an invalid pointer free().
+Author: Guillem Jover <guillem@debian.org>
+Origin: vendor
+Bug-Debian: https://bugs.debian.org/774015
+Forwarded: no
+Last-Update: 2015-02-26
+
+---
+ decode.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/decode.c
++++ b/decode.c
+@@ -255,7 +255,7 @@ void read_pt_len(int nn, int nbit, int i
+    if(i==i_special)
+    {
+     c=getbits(2);
+-    while(--c>=0)
++    while(--c>=0&&i<nn)
+      pt_len[i++]=0;
+    }
+   }
+@@ -314,10 +314,10 @@ void read_c_len()
+      c=getbits(CBIT);
+      c+=20;
+     }
+-    while(--c>=0)
++    while(--c>=0&&i<NC)
+      c_len[i++]=0;
+    }
+-   else
++   else if (i<NC)
+     c_len[i++]=(unsigned char)(c-2);
+   }
+   while(i<NC)

arj-3.10.22-security-traversal-dir.patch

@@ -0,0 +1,33 @@
+Description: Fix absolute path traversals.
+ Catch multiple leading slashes when checking for absolute path traversals.
+ .
+ Fixes CVE-2015-0557.
+Author: Guillem Jover <guillem@debian.org>
+Origin: vendor
+Bug-Debian: https://bugs.debian.org/774435
+Forwarded: no
+Last-Update: 2015-02-26
+
+---
+ environ.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/environ.c
++++ b/environ.c
+@@ -1087,6 +1087,8 @@ static char *validate_path(char *name)
+   if(action!=VALIDATE_DRIVESPEC)
+   {
+ #endif
++   while (name[0]!='\0'&&
++          (name[0]=='.'||name[0]==PATHSEP_DEFAULT||name[0]==PATHSEP_UNIX)) {
+    if(name[0]=='.')
+    {
+     if(name[1]=='.'&&(name[2]==PATHSEP_DEFAULT||name[2]==PATHSEP_UNIX))
+@@ -1096,6 +1098,7 @@ static char *validate_path(char *name)
+    }
+    if(name[0]==PATHSEP_DEFAULT||name[0]==PATHSEP_UNIX)
+     name++;                             /* "\\" - revert to root */
++   }
+ #if SFX_LEVEL>=ARJSFXV
+   }
+  }

arj-3.10.22-security-traversal-symlink.patch

@@ -0,0 +1,85 @@
+Description: Fix symlink directory traversal.
+ Do not allow symlinks that traverse the current directoru, nor absolute
+ symlinks.
+ .
+ Fixes CVE-2015-0556.
+Author: Guillem Jover <guillem@debian.org>
+Origin: vendor
+Bug-Debian: https://bugs.debian.org/774434
+Forwarded: no
+Last-Update: 2015-03-28
+
+---
+ uxspec.c |   54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 54 insertions(+)
+
+--- a/uxspec.c
++++ b/uxspec.c
+@@ -120,6 +120,58 @@ int query_uxspecial(char FAR **dest, cha
+ }
+ #endif
+ 
++#if TARGET==UNIX
++static int is_link_traversal(const char *name)
++{
++  enum {
++    STATE_NONE,
++    STATE_DOTS,
++    STATE_NAME,
++  } state = STATE_NONE;
++  int ndir = 0;
++  int dots = 0;
++
++  while(*name) {
++    int c = *name++;
++
++    if (c == '/')
++    {
++      if ((state == STATE_DOTS) && (dots == 2))
++        ndir--;
++      if (ndir < 0)
++        return 1;
++      if ((state == STATE_DOTS && dots == 1) && ndir == 0)
++        return 1;
++      if (state == STATE_NONE && ndir == 0)
++        return 1;
++      if ((state == STATE_DOTS) && (dots > 2))
++        ndir++;
++      state = STATE_NONE;
++      dots = 0;
++    }
++    else if (c == '.')
++    {
++      if (state == STATE_NONE)
++        state = STATE_DOTS;
++      dots++;
++    }
++    else
++    {
++      if (state == STATE_NONE)
++        ndir++;
++      state = STATE_NAME;
++    }
++  }
++
++  if ((state == STATE_DOTS) && (dots == 2))
++    ndir--;
++  if ((state == STATE_DOTS) && (dots > 2))
++    ndir++;
++
++  return ndir < 0;
++}
++#endif
++
+ /* Restores the UNIX special file data */
+ 
+ int set_uxspecial(char FAR *storage, char *name)
+@@ -156,6 +208,8 @@ int set_uxspecial(char FAR *storage, cha
+      l=sizeof(tmp_name)-1;
+     far_memmove((char FAR *)tmp_name, dptr, l);
+     tmp_name[l]='\0';
++    if (is_link_traversal(tmp_name))
++      return(UXSPEC_RC_ERROR);
+     rc=(id==UXSB_HLNK)?link(tmp_name, name):symlink(tmp_name, name);
+     if(!rc)
+      return(0);

arj.spec

@@ -1,7 +1,7 @@
 Summary:	Archiver for .arj files
 Name:		arj
 Version:	3.10.22
-Release:	21%{?dist}
+Release:	22%{?dist}
 License:	GPL+
 Group:		Applications/Archiving
 URL:		http://arj.sourceforge.net/
@@ -20,6 +20,9 @@ Patch7:		arj-3.10.22-missing-protos.patch
 Patch8:		arj-3.10.22-custom-printf.patch
 # Filed into upstream bugtracker as https://sourceforge.net/tracker/?func=detail&aid=2853421&group_id=49820&atid=457566
 Patch9:		arj-3.10.22-quotes.patch
+Patch10:        arj-3.10.22-security-afl.patch
+Patch11:        arj-3.10.22-security-traversal-dir.patch
+Patch12:        arj-3.10.22-security-traversal-symlink.patch
 BuildRequires:	autoconf
 Provides:	unarj = %{version}-%{release}
 Obsoletes:	unarj < 3
@@ -43,6 +46,9 @@ Software, Inc.
 %patch7 -p1
 %patch8 -p1
 %patch9 -p1
+%patch10 -p1
+%patch11 -p1
+%patch12 -p1
 
 pushd gnu
   autoconf
@@ -73,13 +79,22 @@ rm -rf $RPM_BUILD_ROOT
 
 %files
 %defattr(-,root,root,-)
-%doc ChangeLog* doc/COPYING doc/rev_hist.txt
+%{!?_licensedir:%global license %%doc}
+%license doc/COPYING
+%doc ChangeLog* doc/rev_hist.txt
 %config(noreplace) %{_sysconfdir}/rearj.cfg
 %{_bindir}/*arj*
 %{_libdir}/arj/
 %{_mandir}/man1/*arj*1.*
 
 %changelog
+* Fri Apr 03 2015 Robert Scheck <robert@fedoraproject.org> 3.10.22-22
+- Added patch from Debian to avoid free on invalid pointer due to a
+  buffer overflow (#1196751, #1207180)
+- Added patch from Debian for symlink directory traversal (#1178824)
+- Added patch from Debian to fix the directory traversal via
+  //multiple/leading/slash (#1178824)
+
 * Sat Feb 21 2015 Till Maas <opensource@till.name> - 3.10.22-21
 - Rebuilt for Fedora 23 Change
   https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code