Bug#774172: rar: symlink directory traversal

2017-08-29 Thread Salvatore Bonaccorso 
This should be fixed in 5.21 upstream:

+   Version 5.21
+
+   1. While previous versions could produce RAR5 volumes of slightly
+  smaller than requested size sometimes, such situation is less
+  likely now. In most cases volume size equals to specified by user.
+
+   2. Now by default RAR skips symbolic links with absolute paths
+  in link target when extracting. You can enable creating such links
+  with -ola switch.
+
+  Such links pointing to directories outside of extraction destination
+  directory can present a security risk. Enable their extraction only
+  if you are sure that archive contents is safe, such as your own backup.

the first version in unstable containging the fix should be 2:5.3.b2-1.

Regards,
Salvatore

Bug#774172: rar: symlink directory traversal

2016-12-27 Thread Martin Meredith 
This has been passed on upstream, with no responses as it should have been
marked.

On 27 Dec 2016 3:21 p.m., "Moritz Mühlenhoff"  wrote:

> On Mon, Dec 29, 2014 at 10:29:28PM +0100, Jakub Wilk wrote:
> > Package: rar
> > Version: 2:4.2.0-1
> > Tags: security
> >
> > RAR follows symlinks when unpacking stuff, even the symlinks that were
> > created during the same unpack process.
> > It is therefore possible to create a malicious RAR archive that will be
> > unpacked into arbitrary directory outside cwd.
>
> What't the status? This bug hasn't seen maintainer acknowledgement in
> two years?
>
> Cheers,
> Moritz
>

Bug#774172: rar: symlink directory traversal

2016-12-27 Thread Moritz Mühlenhoff 
On Mon, Dec 29, 2014 at 10:29:28PM +0100, Jakub Wilk wrote:
> Package: rar
> Version: 2:4.2.0-1
> Tags: security
> 
> RAR follows symlinks when unpacking stuff, even the symlinks that were
> created during the same unpack process.
> It is therefore possible to create a malicious RAR archive that will be
> unpacked into arbitrary directory outside cwd.

What't the status? This bug hasn't seen maintainer acknowledgement in
two years?

Cheers,
Moritz

Bug#774172: rar: symlink directory traversal

2014-12-29 Thread Jakub Wilk 

Package: rar
Version: 2:4.2.0-1
Tags: security

RAR follows symlinks when unpacking stuff, even the symlinks that were 
created during the same unpack process.
It is therefore possible to create a malicious RAR archive that will be 
unpacked into arbitrary directory outside cwd.


Proof of concept:

$ pwd
/home/jwilk

$ rar x traversal.rar

RAR 4.20   Copyright (c) 1993-2012 Alexander Roshal   9 Jun 2012
Trial version Type RAR -? for help


Extracting from traversal.rar

Extracting  tmp   OK
Extracting  tmp/moo   OK
All OK

$ ls -l /tmp/moo
-rw-r--r-- 1 jwilk jwilk 4 Dec 29 21:41 /tmp/moo


-- System Information:
Debian Release: 8.0
 APT prefers unstable
 APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

--
Jakub Wilk


traversal.rar
Description: application/rar