Package: unrar
Version: 1:5.6.6-2
Severity: normal
Dear Maintainer,
when passing certain (archive) filenames to unrar, unrar will corrupt them
and not be able to open them. The peculiar way this corruption occurs
hints at possible security issues.
Example:
strace -feexecve,stat perl -e 'system "unrar", "x", "x\x92.rar"'
Outputs, among other things:
[pid 9326] execve("/bin/unrar", ["unrar", "x", "x\222.rar"], 0x5555557679f0
/* 112 vars */) = 0
[pid 9326] stat("x\222.ra", 0x7ffffffef1d0) = -1 ENOENT (No such file or
directory)
Cannot open x�.ra
(the later filename is written like this):
[pid 9390] write(2, "x", 1x) = 1
[pid 9390] write(2, "\357\277\276", 3�) = 3
[pid 9390] write(2, "\356\202\222", 3) = 3
[pid 9390] write(2, ".", 1.) = 1
[pid 9390] write(2, "r", 1r) = 1
[pid 9390] write(2, "a", 1a) = 1
[pid 9390] write(2, "\nN", 2
So somehow the \x92 character gets replaced, but also the trailing "r" (from
rar) is removed.
This happened in a utf-8 based locale (en_DK.UTF-8), which is probably
related.
Obviously, unrar should not mangle filenames, as filenames are
octet-strings, not locale-encoded.
-- System Information:
Debian Release: 10.2
APT prefers stable
APT policy: (990, 'stable'), (500, 'unstable-debug'), (500, 'testing-debug'),
(500, 'stable-updates'), (500, 'stable-debug'), (500, 'oldstable-updates'),
(500, 'oldstable-debug'), (500, 'unstable'), (500, 'testing'), (500,
'oldstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, x32
Kernel: Linux 5.4.7-050407-generic (SMP w/8 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8),
LANGUAGE=en_DK.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages unrar depends on:
ii libc6 2.28-10
ii libgcc1 1:9.2.1-15
ii libstdc++6 8.3.0-6
unrar recommends no packages.
unrar suggests no packages.
-- no debconf information
