Package: arj Version: 3.10.22-12 Tags: securityARJ follows symlinks when unpacking stuff, even the symlinks that were created during the same unpack process. This can be exploited for directory traversal:
$ pwd /home/jwilk $ arj x traversal-dirsymlink.arj ARJ32 v 3.10, Copyright (c) 1998-2004, ARJ Software Russia. [08 Aug 2014] Processing archive: traversal-dirsymlink.arj Archive created: 2015-01-02 18:01:19, modified: 2015-01-02 18:01:19 Extracting tmp (SymLink) OK Extracting tmp/moo OK 2 file(s) $ ls -ld tmp lrwxrwxrwx 1 jwilk jwilk 4 Jan 2 18:32 tmp -> /tmp $ ls -l /tmp/moo -rw-r--r-- 1 jwilk jwilk 4 Jan 2 18:01 /tmp/moo The script I used to create the test case is available at: https://bitbucket.org/jwilk/path-traversal-samples -- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages arj depends on: ii libc6 2.19-13 -- Jakub Wilk
traversal-dirsymlink.arj
Description: Binary data