Bugzilla – Bug 62184
VUL-0: CVE-2004-0947: directory traversal bug in unarj
Last modified: 2021-10-12 13:33:32 UTC
This issue is public. Some guy calling himself "doubles" posted an almost unreadable mail to full-disclosure talking about a directory traversal bug in unarj. Archives that contain files with .. in their path can be used to create files anywhere in the system. It looks like one cannot overwrite existing files though. Judging from the output of unarj we are not allowed to fix this bug even if we had a patch: "You may freely use, copy and distribute this program, provided that no fee is charged for such use, copying or distribution, and it is distributed ONLY in its original unmodified state."
Created attachment 24933 [details] arj archive that creates /etc/foo when extracted with unarj x
I will make security upgrade when the upstream vendor releases fixed version.
Are you in contact with the vendor? I doubt they read the mail on full-disclosure.
Created attachment 25750 [details] patch What do you think about this patch?
It has two drawbacks, cur will stay NULL if files only contains dots and insane could be bigger than sane (hdr_filename > filename). While looking for more context for your patch I think I've found a buffer overflow in unarj.c: ... static char filename[FNAME_MAX]; <- I static char comment[COMMENT_MAX]; ... static short entry_pos; <- II ... read_header() { ... entry_pos = get_word(); <- III strncopy(filename, hdr_filename, sizeof(filename)); strncopy(comment, hdr_comment, sizeof(comment)); ... } ... extract() { char name[FNAME_MAX]; <- IV ... if (command == 'E') strcpy(name, &filename[entry_pos]); <- V ... Memory layout on i386 looks like this: 0x804d960 00000000 comment 0x804d95c 00000000 . [500 bytes skipped] 0x804d764 00000000 . 0x804d760 00000000 filename I) filename is 512 bytes II) entry_pos range is 2^15 III) entry_pos, filename and comment are read from the arj file IV) name buffer is 512 bytes on stack V) content of filename starting at entry_pos copied into name So if entry_pos is > 512 the content of comment is written into name overflowing the stack.
the buffer overflow is CAN-2004-0947
Created attachment 25912 [details] patch against the buffer overflow
Created attachment 25913 [details] patch against the directory traversal
Created attachment 25914 [details] arj archive that produces a buffer overflow
I've sent the patches and arj archive to vendor-sec, let's see what happens.
Created attachment 25916 [details] patch Ok. I have fixed my patch in the mean time, appending it.
Are you in contact with the author of unarj to negotiate a release date for the buffer overflow?
The author doesnt respond to my emails. Should I submit the unarj with your patches or wait?
To: Ludwig Nussel <ludwig.nussel@suse.de> Cc: vendor-sec@lst.de Subject: Re: [vendor-sec] unarj buffer overflow From: Josh Bressers <bressers@redhat.com> Due to a miscommunication on my part, we've leaked this patch out to Fedora Core. I apologize to anyone who is adversely affected. So it is public now :( Not sure how to proceed or if someone else wants to review this patch.
Fixes subited for all distributions.
Please also submit patchinfos... (Or reassign to the secteam and let them do the work ;-) )
will do
Created attachment 26306 [details] unarj.patch.maintained
Created attachment 26307 [details] unarj.patch.box
packages approved
CVE-2004-0947: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)