Package: unrar Version: 1:5.0.10-1 Tags: securityUNRAR follows symlinks when unpacking stuff, even the symlinks that were created during the same unpack process. It is therefore possible to create a malicious RAR archive that will be unpacked into arbitrary directory outside cwd.
Proof of concept: $ pwd /home/jwilk $ unrar x traversal.rar UNRAR 5.00 beta 8 freeware Copyright (c) 1993-2013 Alexander Roshal Extracting from traversal.rar Extracting tmp OK Extracting tmp/moo OK All OK $ ls -l /tmp/moo -rw-r--r-- 1 jwilk jwilk 4 Dec 29 21:41 /tmp/moo -- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages unrar depends on: ii libc6 2.19-13 ii libgcc1 1:4.9.2-10 ii libstdc++6 4.9.2-10 -- Jakub Wilk
traversal.rar
Description: application/rar
