Package: unrar Version: 1:5.6.6-2 Severity: normal Dear Maintainer,
when passing certain (archive) filenames to unrar, unrar will corrupt them and not be able to open them. The peculiar way this corruption occurs hints at possible security issues. Example: strace -feexecve,stat perl -e 'system "unrar", "x", "x\x92.rar"' Outputs, among other things: [pid 9326] execve("/bin/unrar", ["unrar", "x", "x\222.rar"], 0x5555557679f0 /* 112 vars */) = 0 [pid 9326] stat("x\222.ra", 0x7ffffffef1d0) = -1 ENOENT (No such file or directory) Cannot open x�.ra (the later filename is written like this): [pid 9390] write(2, "x", 1x) = 1 [pid 9390] write(2, "\357\277\276", 3�) = 3 [pid 9390] write(2, "\356\202\222", 3) = 3 [pid 9390] write(2, ".", 1.) = 1 [pid 9390] write(2, "r", 1r) = 1 [pid 9390] write(2, "a", 1a) = 1 [pid 9390] write(2, "\nN", 2 So somehow the \x92 character gets replaced, but also the trailing "r" (from rar) is removed. This happened in a utf-8 based locale (en_DK.UTF-8), which is probably related. Obviously, unrar should not mangle filenames, as filenames are octet-strings, not locale-encoded. -- System Information: Debian Release: 10.2 APT prefers stable APT policy: (990, 'stable'), (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-updates'), (500, 'stable-debug'), (500, 'oldstable-updates'), (500, 'oldstable-debug'), (500, 'unstable'), (500, 'testing'), (500, 'oldstable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386, x32 Kernel: Linux 5.4.7-050407-generic (SMP w/8 CPU cores) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8), LANGUAGE=en_DK.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages unrar depends on: ii libc6 2.28-10 ii libgcc1 1:9.2.1-15 ii libstdc++6 8.3.0-6 unrar recommends no packages. unrar suggests no packages. -- no debconf information