Package: arj Version: 3.10.22-12 Tags: securityARJ follows symlinks when unpacking stuff, even the symlinks that were created during the same unpack process. This can be exploited for directory traversal:
$ pwd
/home/jwilk
$ arj x traversal-dirsymlink.arj
ARJ32 v 3.10, Copyright (c) 1998-2004, ARJ Software Russia. [08 Aug 2014]
Processing archive: traversal-dirsymlink.arj
Archive created: 2015-01-02 18:01:19, modified: 2015-01-02 18:01:19
Extracting tmp (SymLink) OK
Extracting tmp/moo OK
2 file(s)
$ ls -ld tmp
lrwxrwxrwx 1 jwilk jwilk 4 Jan 2 18:32 tmp -> /tmp
$ ls -l /tmp/moo
-rw-r--r-- 1 jwilk jwilk 4 Jan 2 18:01 /tmp/moo
The script I used to create the test case is available at:
https://bitbucket.org/jwilk/path-traversal-samples
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages arj depends on:
ii libc6 2.19-13
--
Jakub Wilk
traversal-dirsymlink.arj
Description: Binary data
