On Mon, Dec 29, 2014 at 10:29:10PM +0100, Jakub Wilk wrote:
> Package: unrar
> Version: 1:5.0.10-1
> Tags: security
>
> UNRAR follows symlinks when unpacking stuff, even the symlinks that
> were created during the same unpack process.
> It is therefore possible to create a malicious RAR archive that will
> be unpacked into arbitrary directory outside cwd.
>
> Proof of concept:
>
> $ pwd
> /home/jwilk
>
> $ unrar x traversal.rar
>
> UNRAR 5.00 beta 8 freeware Copyright (c) 1993-2013 Alexander Roshal
>
>
> Extracting from traversal.rar
>
> Extracting tmp OK
> Extracting tmp/moo OK
> All OK
>
> $ ls -l /tmp/moo
> -rw-r--r-- 1 jwilk jwilk 4 Dec 29 21:41 /tmp/moo
Martin, did you forward this (and the related issue in rar-nonfree) upstream?
Cheers,
Moritz
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
