Bug 62184 (CVE-2004-0947)

Summary:	VUL-0: CVE-2004-0947: directory traversal bug in unarj
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Ludwig Nussel <lnussel>
Component:	Incidents	Assignee:	Marcus Meissner <meissner>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P3 - Medium	CC:	security-team
Version:	unspecified
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	CVE-2004-0947: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Found By:	---	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---
Attachments:	arj archive that creates /etc/foo when extracted with unarj x patch patch against the buffer overflow patch against the directory traversal arj archive that produces a buffer overflow patch unarj.patch.maintained unarj.patch.box

Description Ludwig Nussel 2004-10-13 17:18:50 UTC

This issue is public.

Some guy calling himself "doubles" posted an almost unreadable mail
to full-disclosure talking about a directory traversal bug in unarj.
Archives that contain files with .. in their path can be used to
create files anywhere in the system. It looks like one cannot
overwrite existing files though.

Judging from the output of unarj we are not allowed to fix this bug
even if we had a patch:

"You may freely use, copy and distribute this program, provided that
no fee is charged for such use, copying or distribution, and it is
distributed ONLY in its original unmodified state."

Comment 1 Ludwig Nussel 2004-10-13 17:19:57 UTC

Created attachment 24933 [details]
arj archive that creates /etc/foo when extracted with unarj x

Comment 2 Marian Jancar 2004-10-13 19:26:52 UTC

I will make security upgrade when the upstream vendor releases fixed version.

Comment 3 Ludwig Nussel 2004-10-13 22:48:37 UTC

Are you in contact with the vendor? I doubt they read the mail on 
full-disclosure.

Comment 4 Marian Jancar 2004-11-04 02:20:44 UTC

Created attachment 25750 [details]
patch

What do you think about this patch?

Comment 5 Ludwig Nussel 2004-11-05 23:47:55 UTC

It has two drawbacks, cur will stay NULL if files only contains dots and 
insane could be bigger than sane (hdr_filename > filename). 
 
While looking for more context for your patch I think I've found a buffer 
overflow in unarj.c: 
 
... 
static char   filename[FNAME_MAX];    <- I 
static char   comment[COMMENT_MAX]; 
... 
static short  entry_pos; <- II 
... 
read_header() 
{ 
    ... 
    entry_pos = get_word(); <- III 
    strncopy(filename, hdr_filename, sizeof(filename)); 
    strncopy(comment, hdr_comment, sizeof(comment)); 
    ... 
} 
... 
extract() 
{ 
    char name[FNAME_MAX]; <- IV 
    ... 
    if (command == 'E') 
	strcpy(name, &filename[entry_pos]); <- V 
    ... 
 
 
Memory layout on i386 looks like this: 
 
0x804d960  00000000 comment 
0x804d95c  00000000 . 
            [500 bytes skipped] 
0x804d764  00000000 . 
0x804d760  00000000 filename 
 
 
I) filename is 512 bytes 
II) entry_pos range is 2^15 
III) entry_pos, filename and comment are read from the arj file 
IV) name buffer is 512 bytes on stack 
V) content of filename starting at entry_pos copied into name 
 
So if entry_pos is > 512 the content of comment is written into name 
overflowing the stack.

Comment 6 Ludwig Nussel 2004-11-09 21:43:15 UTC

the buffer overflow is CAN-2004-0947

Comment 7 Ludwig Nussel 2004-11-09 21:44:28 UTC

Created attachment 25912 [details]
patch against the buffer overflow

Comment 8 Ludwig Nussel 2004-11-09 21:44:53 UTC

Created attachment 25913 [details]
patch against the directory traversal

Comment 9 Ludwig Nussel 2004-11-09 21:45:25 UTC

Created attachment 25914 [details]
arj archive that produces  a buffer overflow

Comment 10 Ludwig Nussel 2004-11-09 21:47:50 UTC

I've sent the patches and arj archive to vendor-sec, let's see what happens.

Comment 11 Marian Jancar 2004-11-09 22:25:05 UTC

Created attachment 25916 [details]
patch

Ok. I have fixed my patch in the mean time, appending it.

Comment 12 Ludwig Nussel 2004-11-11 01:13:56 UTC

Are you in contact with the author of unarj to negotiate a release date for 
the buffer overflow?

Comment 13 Marian Jancar 2004-11-11 01:32:23 UTC

The author doesnt respond to my emails. Should I submit the unarj with your
patches or wait?

Comment 14 Marcus Meissner 2004-11-12 21:28:44 UTC

To: Ludwig Nussel <ludwig.nussel@suse.de>                                        
Cc: vendor-sec@lst.de                                                            
Subject: Re: [vendor-sec] unarj buffer overflow                                  
From: Josh Bressers <bressers@redhat.com>     

Due to a miscommunication on my part, we've leaked this patch out to Fedora      
Core.  I apologize to anyone who is adversely affected. 

So it is public now :( 

Not sure how to proceed or if someone else wants to review this patch.

Comment 15 Marian Jancar 2004-11-22 17:41:01 UTC

Fixes subited for all distributions.

Comment 16 Michael Schröder 2004-11-22 23:41:10 UTC

Please also submit patchinfos... (Or reassign to the secteam and let them do the
work ;-) )

Comment 17 Marcus Meissner 2004-11-22 23:42:58 UTC

will do

Comment 18 Marcus Meissner 2004-11-22 23:54:42 UTC

Created attachment 26306 [details]
unarj.patch.maintained

Comment 19 Marcus Meissner 2004-11-22 23:55:01 UTC

Created attachment 26307 [details]
unarj.patch.box

Comment 20 Thomas Biege 2004-12-01 18:00:20 UTC

packages approved

Comment 21 Thomas Biege 2009-10-13 19:53:31 UTC

CVE-2004-0947: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)