Bug#774172: rar: symlink directory traversal
This should be fixed in 5.21 upstream: + Version 5.21 + + 1. While previous versions could produce RAR5 volumes of slightly + smaller than requested size sometimes, such situation is less + likely now. In most cases volume size equals to specified by user. + + 2. Now by default RAR skips symbolic links with absolute paths + in link target when extracting. You can enable creating such links + with -ola switch. + + Such links pointing to directories outside of extraction destination + directory can present a security risk. Enable their extraction only + if you are sure that archive contents is safe, such as your own backup. the first version in unstable containging the fix should be 2:5.3.b2-1. Regards, Salvatore
Bug#774172: rar: symlink directory traversal
This has been passed on upstream, with no responses as it should have been marked. On 27 Dec 2016 3:21 p.m., "Moritz Mühlenhoff"wrote: > On Mon, Dec 29, 2014 at 10:29:28PM +0100, Jakub Wilk wrote: > > Package: rar > > Version: 2:4.2.0-1 > > Tags: security > > > > RAR follows symlinks when unpacking stuff, even the symlinks that were > > created during the same unpack process. > > It is therefore possible to create a malicious RAR archive that will be > > unpacked into arbitrary directory outside cwd. > > What't the status? This bug hasn't seen maintainer acknowledgement in > two years? > > Cheers, > Moritz >
Bug#774172: rar: symlink directory traversal
On Mon, Dec 29, 2014 at 10:29:28PM +0100, Jakub Wilk wrote: > Package: rar > Version: 2:4.2.0-1 > Tags: security > > RAR follows symlinks when unpacking stuff, even the symlinks that were > created during the same unpack process. > It is therefore possible to create a malicious RAR archive that will be > unpacked into arbitrary directory outside cwd. What't the status? This bug hasn't seen maintainer acknowledgement in two years? Cheers, Moritz
Bug#774172: rar: symlink directory traversal
Package: rar Version: 2:4.2.0-1 Tags: security RAR follows symlinks when unpacking stuff, even the symlinks that were created during the same unpack process. It is therefore possible to create a malicious RAR archive that will be unpacked into arbitrary directory outside cwd. Proof of concept: $ pwd /home/jwilk $ rar x traversal.rar RAR 4.20 Copyright (c) 1993-2012 Alexander Roshal 9 Jun 2012 Trial version Type RAR -? for help Extracting from traversal.rar Extracting tmp OK Extracting tmp/moo OK All OK $ ls -l /tmp/moo -rw-r--r-- 1 jwilk jwilk 4 Dec 29 21:41 /tmp/moo -- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -- Jakub Wilk traversal.rar Description: application/rar