Bug#783659: marked as done (wheezy-pu: package unrar-nonfree/1:4.1.4-1+deb7u1)

Debian Bug Tracking System Sat, 05 Sep 2015 06:45:08 -0700

Your message dated Sat, 05 Sep 2015 14:33:54 +0100
with message-id <[email protected]>
and subject line Closing bugs for 7.9
has caused the Debian Bug report #783659,
regarding wheezy-pu: package unrar-nonfree/1:4.1.4-1+deb7u1
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
783659: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783659
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: wheezy
User: [email protected]
Usertags: pu

Hi,

unrar-nonfree is affected by a symlink directory traversal vulnerability,
see bug #774171.
(wheezy is currenctly incorrectly marked as <not-affected> in the security 
tracker.)

Attached is a debdiff that has a backport of the upstream fix.

Cheers,
Felix

diff -Nru unrar-nonfree-4.1.4/debian/changelog unrar-nonfree-4.1.4/debian/changelog
--- unrar-nonfree-4.1.4/debian/changelog	2012-02-14 23:40:11.000000000 +0100
+++ unrar-nonfree-4.1.4/debian/changelog	2015-04-28 21:39:45.000000000 +0200
@@ -1,3 +1,10 @@
+unrar-nonfree (1:4.1.4-1+deb7u1) wheezy; urgency=medium
+
+  * Fix a symlink directory traversal vulnerability (Closes: #774171)
+    - Add debian/patches/fix-dir-traversal
+
+ -- Felix Geyer <[email protected]>  Tue, 28 Apr 2015 21:38:08 +0200
+
 unrar-nonfree (1:4.1.4-1) unstable; urgency=low
 
   * New upstream release
diff -Nru unrar-nonfree-4.1.4/debian/patches/fix-dir-traversal unrar-nonfree-4.1.4/debian/patches/fix-dir-traversal
--- unrar-nonfree-4.1.4/debian/patches/fix-dir-traversal	1970-01-01 01:00:00.000000000 +0100
+++ unrar-nonfree-4.1.4/debian/patches/fix-dir-traversal	2015-04-28 21:44:33.000000000 +0200
@@ -0,0 +1,120 @@
+Description: Fix a symlink directory traversal vulnerability.
+ Backported from version 5.2.7.
+Bug-Debian: https://bugs.debian.org/774171
+
+--- unrar-nonfree-4.1.4.orig/cmddata.cpp
++++ unrar-nonfree-4.1.4/cmddata.cpp
+@@ -538,6 +538,8 @@ void CommandData::ProcessSwitch(const ch
+ #ifdef SAVE_LINKS
+         case 'L':
+           SaveLinks=true;
++          if (etoupper(Switch[2])=='A')
++            AbsoluteLinks=true;
+           break;
+ #endif
+ #ifdef _WIN_ALL
+--- unrar-nonfree-4.1.4.orig/extract.cpp
++++ unrar-nonfree-4.1.4/extract.cpp
+@@ -856,7 +856,7 @@ bool CmdExtract::ExtractCurrentFile(Comm
+       CurFile.SetAllowDelete(!Cmd->KeepBroken);
+ 
+       bool LinkCreateMode=!Cmd->Test && !SkipSolid;
+-      if (ExtractLink(DataIO,Arc,DestFileName,DataIO.UnpFileCRC,LinkCreateMode))
++      if (ExtractLink(Cmd,DataIO,Arc,DestFileName,DataIO.UnpFileCRC,LinkCreateMode))
+         PrevExtracted=LinkCreateMode;
+       else
+         if ((Arc.NewLhd.Flags & LHD_SPLIT_BEFORE)==0)
+--- unrar-nonfree-4.1.4.orig/loclang.hpp
++++ unrar-nonfree-4.1.4/loclang.hpp
+@@ -99,7 +99,7 @@
+ #define   MCHelpSwNal        "\n  n@<list>      Include files listed in specified list file"
+ #define   MCHelpSwO          "\n  o[+|-]        Set the overwrite mode"
+ #define   MCHelpSwOC         "\n  oc            Set NTFS Compressed attribute"
+-#define   MCHelpSwOL         "\n  ol            Save symbolic links as the link instead of the file"
++#define   MCHelpSwOL         "\n  ol[a]         Process symbolic links as the link [absolute paths]"
+ #define   MCHelpSwOR         "\n  or            Rename files automatically"
+ #define   MCHelpSwOS         "\n  os            Save NTFS streams"
+ #define   MCHelpSwOW         "\n  ow            Save or restore file owner and group"
+--- unrar-nonfree-4.1.4.orig/options.hpp
++++ unrar-nonfree-4.1.4/options.hpp
+@@ -116,6 +116,7 @@ class RAROptions
+     int ConvertNames;
+     bool ProcessOwners;
+     bool SaveLinks;
++    bool AbsoluteLinks;
+     int Priority;
+     int SleepTime;
+     bool KeepBroken;
+--- unrar-nonfree-4.1.4.orig/ulinks.cpp
++++ unrar-nonfree-4.1.4/ulinks.cpp
+@@ -2,7 +2,44 @@
+ 
+ 
+ 
+-bool ExtractLink(ComprDataIO &DataIO,Archive &Arc,const char *LinkName,uint &LinkCRC,bool Create)
++static bool IsFullRootPath(const char *PathA) // Unix ASCII version.
++{
++  return *PathA==CPATHDIVIDER;
++}
++
++
++static bool IsRelativeSymlinkSafe(const char *SrcName,const char *TargetName)
++{
++  if (IsFullRootPath(SrcName))
++    return false;
++  int AllowedDepth=0;
++  while (*SrcName!=0)
++  {
++    if (IsPathDiv(SrcName[0]) && SrcName[1]!=0 && !IsPathDiv(SrcName[1]))
++    {
++      bool Dot=SrcName[1]=='.' && (IsPathDiv(SrcName[2]) || SrcName[2]==0);
++      bool Dot2=SrcName[1]=='.' && SrcName[2]=='.' && (IsPathDiv(SrcName[3]) || SrcName[3]==0);
++      if (!Dot && !Dot2)
++        AllowedDepth++;
++    }
++    SrcName++;
++  }
++  if (IsFullRootPath(TargetName)) // Catch root dir based /path/file paths.
++    return false;
++  for (int Pos=0;*TargetName!=0;Pos++)
++  {
++    bool Dot2=TargetName[0]=='.' && TargetName[1]=='.' && 
++              (IsPathDiv(TargetName[2]) || TargetName[2]==0) &&
++              (Pos==0 || IsPathDiv(*(TargetName-1)));
++    if (Dot2)
++      AllowedDepth--;
++    TargetName++;
++  }
++  return AllowedDepth>=0;
++}
++
++
++bool ExtractLink(CommandData *Cmd,ComprDataIO &DataIO,Archive &Arc,const char *LinkName,uint &LinkCRC,bool Create)
+ {
+ #if defined(SAVE_LINKS) && defined(_UNIX)
+   char LinkTarget[NM];
+@@ -13,6 +50,13 @@ bool ExtractLink(ComprDataIO &DataIO,Arc
+     LinkTarget[DataSize]=0;
+     if (Create)
+     {
++      if (!Cmd->AbsoluteLinks && (IsFullRootPath(LinkTarget) ||
++          !IsRelativeSymlinkSafe(Arc.FileName,LinkTarget))) {
++        int NameSize=Min(DataSize,strlen(LinkTarget));
++        LinkCRC=CRC(0xffffffff,LinkTarget,NameSize);
++        return(false);
++      }
++
+       CreatePath(LinkName,NULL,true);
+       if (symlink(LinkTarget,LinkName)==-1) // Error.
+         if (errno==EEXIST)
+--- unrar-nonfree-4.1.4.orig/ulinks.hpp
++++ unrar-nonfree-4.1.4/ulinks.hpp
+@@ -3,7 +3,7 @@
+ 
+ void SaveLinkData(ComprDataIO &DataIO,Archive &TempArc,FileHeader &hd,
+                   const char *Name);
+-bool ExtractLink(ComprDataIO &DataIO,Archive &Arc,const char *LinkName,
++bool ExtractLink(CommandData *Cmd,ComprDataIO &DataIO,Archive &Arc,const char *LinkName,
+                  uint &LinkCRC,bool Create);
+ 
+ #endif
diff -Nru unrar-nonfree-4.1.4/debian/patches/series unrar-nonfree-4.1.4/debian/patches/series
--- unrar-nonfree-4.1.4/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ unrar-nonfree-4.1.4/debian/patches/series	2015-04-28 21:44:26.000000000 +0200
@@ -0,0 +1 @@
+fix-dir-traversal

--- End Message ---

--- Begin Message ---

Version: 7.9

Hi,

These bugs relate to updates which were included in the 7.9 point
release.

Regards,

Adam

--- End Message ---

Bug#783659: marked as done (wheezy-pu: package unrar-nonfree/1:4.1.4-1+deb7u1)

Reply via email to