[Bug 4448] New: Directory traversal vulnerability in MimeBodyPart.getFileName(): CVE-2005-1105

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

From: <bugzilla-daemon_at_kenai.com>
Date: Fri, 12 Aug 2011 06:08:49 +0000 (GMT)

http://kenai.com/bugzilla/show_bug.cgi?id=4448

           Summary: Directory traversal vulnerability in
                    MimeBodyPart.getFileName(): CVE-2005-1105
           Product: javamail
           Version: 1.4.5
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: major
          Priority: P4
         Component: internet
        AssignedTo: shannon_at_kenai.com
        ReportedBy: djorm_at_kenai.com
                CC: issues_at_javamail.kenai.com

This issue was originally identified on bugtraq in 2005:

http://marc.info/?l=bugtraq&m=111335615600839&w=2

The vulnerability does not appear to have ever been addressed. Looking at the
latest code in hg, I see:

mail/src/main/java/javax/mail/internet/MimeBodyPart.java

Is still missing any protection against directory traversal in getFileName().
Could this issue please be addressed in the next release? I am happy to provide
a suggested patch if that helps. Thanks!

-- 
Configure bugmail: http://kenai.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.