Your message dated Tue, 29 Aug 2017 11:25:37 +0100
with message-id
<cakdqwucqtvux_emczcvgq-aqf_pkfbhxumf99afpwvd5fft...@mail.gmail.com>
and subject line Seems to be patched
has caused the Debian Bug report #774172,
regarding rar: CVE-2014-9983: symlink directory traversal
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
774172: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774172
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: rar
Version: 2:4.2.0-1
Tags: security
RAR follows symlinks when unpacking stuff, even the symlinks that were
created during the same unpack process.
It is therefore possible to create a malicious RAR archive that will be
unpacked into arbitrary directory outside cwd.
Proof of concept:
$ pwd
/home/jwilk
$ rar x traversal.rar
RAR 4.20 Copyright (c) 1993-2012 Alexander Roshal 9 Jun 2012
Trial version Type RAR -? for help
Extracting from traversal.rar
Extracting tmp OK
Extracting tmp/moo OK
All OK
$ ls -l /tmp/moo
-rw-r--r-- 1 jwilk jwilk 4 Dec 29 21:41 /tmp/moo
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--
Jakub Wilk
traversal.rar
Description: application/rar
--- End Message ---
--- Begin Message ---
fixed 2:5.4.0+dfsg.1-0.1
thanks
Just looking over this - and I can't reproduce this in in current versions.
I'm closing this - but please, feel free to re-open and send me further
details if there's a further fix.
--- End Message ---