Gentoo Bug 70966 - app-arch/unarj: Filename Handling Buffer Overflow - CAN-2004-0947

First Last Prev Next No search results available Search page Enter new bug

Bug#:	70966
Alias:
Product:
Component:
Status:	RESOLVED
Resolution:	FIXED
Assigned To:	Gentoo Security <security@gentoo.org>

Hardware:
OS:
Version:
Priority:
Severity:

Reporter:	Luke Macken (RETIRED) <lewk@gentoo.org>
Add CC:
CC:

URL:
Summary:
Status Whiteboard:
Keywords:

Flags:			Requestee:
	Pending
	Approved
	Assigned_To		()

Filename	Description	Type	Creator	Created	Size	Actions
unarj-overflow.diff	unarj-overflow.diff	patch	solar	2004-11-12 08:00 0000	1.49 KB	Details \| Diff
unarj-path.diff	unarj-path.diff	patch	solar	2004-11-12 08:01 0000	2.97 KB	Details \| Diff
overflow.arj	overflow.arj	application/octet-stream	solar	2004-11-19 06:52 0000	2.06 KB	Details
path.arj	path.arj	application/octet-stream	solar	2004-11-19 06:53 0000	143 bytes	Details
Create a New Attachment (proposed patch, testcase, etc.)						View All

Bug 70966 depends on:			Show dependency tree Show dependency graph
Bug 70966 blocks:			Show dependency tree Show dependency graph

Additional Comments: (this is where you put emerge --info)

Add to CC list

Leave as RESOLVED FIXED
Reopen bug
Mark bug as VERIFIED
Mark bug as CLOSED

View Bug Activity | Format For Printing | XML | Clone This Bug

Description:

Opened: 2004-11-12 07:53 0000

TITLE:
UNARJ Filename Handling Buffer Overflow Vulnerability

SECUNIA ADVISORY ID:
SA13177

VERIFY ADVISORY:
http://secunia.com/advisories/13177/

CRITICAL:
Moderately critical

IMPACT:
System access

WHERE:
From remote

SOFTWARE:
UNARJ 2.x
http://secunia.com/product/4036/

DESCRIPTION:
A vulnerability has been reported in UNARJ, which potentially can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a boundary error within the handling of long filenames in archives. This can be exploited to cause a buffer overflow by tricking a user into opening a malicious archive with a specially crafted path.

Successful exploitation may allow execution of arbitrary code.

SOLUTION:
The vendor reports that UNARJ is just a demonstration product and should not be used on production systems.

The vendor recommends users to use ARJ instead.

PROVIDED AND/OR DISCOVERED BY:
First reported in a Fedora advisory.

ORIGINAL ADVISORY:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=138468

------- Comment #1 From solar 2004-11-12 08:00:38 0000 -------

Created an attachment (id=43787) [edit]
unarj-overflow.diff

patch #1

------- Comment #2 From solar 2004-11-12 08:01:12 0000 -------

Created an attachment (id=43788) [edit]
unarj-path.diff

patch #2

------- Comment #3 From solar 2004-11-12 08:40:49 0000 -------

patches come from Ludwig Nussel <ludwig.nussel.@suse.de>

------- Comment #4 From Sune Kloppenborg Jeppesen 2004-11-12 23:27:21 0000 -------

Solar this is unmaintained will you patch?

------- Comment #5 From solar 2004-11-14 19:48:50 0000 -------

Using commit message:
------------------------------------------------------------------------------
security bump - CAN-2004-0947 - bug 70966
------------------------------------------------------------------------------

Old:
unarj-2.63a-r1 
KEYWORDS="x86 ppc sparc alpha arm amd64"

New 
unarj-2.63a-r2 
KEYWORDS="~x86 ~ppc ~sparc ~alpha ~arm ~amd64"

Arch maintainers you can do the Hokey-Pokey and turn your arch around.

------- Comment #6 From Jochen Maes (RETIRED) 2004-11-14 23:48:01 0000 -------

stable on ppc

------- Comment #7 From Gustavo Zacarias (RETIRED) 2004-11-15 05:21:40 0000 -------

sparc stable.

------- Comment #8 From Bryan Østergaard (RETIRED) 2004-11-16 01:23:15 0000 -------

Stable on alpha.

------- Comment #9 From Simon Stelling (RETIRED) 2004-11-16 02:54:39 0000 -------

stable on amd64

------- Comment #10 From Sune Kloppenborg Jeppesen 2004-11-16 23:33:51 0000 -------

x86 please mark stable.

------- Comment #11 From Olivier Crete 2004-11-18 07:27:26 0000 -------

sorry for the delay.. its there

------- Comment #12 From solar 2004-11-19 06:52:27 0000 -------

Created an attachment (id=44273) [edit]
overflow.arj

solar@simple a $ unarj overflow.arj 
UNARJ (Demo version) 2.63 Copyright (c) 1991-2000 ARJ Software, Inc.

Processing archive: overflow.arj
Archive created: 2004-11-08 12:28:06, modified: 2004-11-08 12:30:28

Bad header

------- Comment #13 From solar 2004-11-19 06:53:21 0000 -------

Created an attachment (id=44274) [edit]
path.arj

solar@simple a $ unarj path.arj 
UNARJ (Demo version) 2.63 Copyright (c) 1991-2000 ARJ Software, Inc.

Processing archive: path.arj
Archive created: 2004-11-09 13:23:52, modified: 2004-11-09 13:23:52
Filename       Original Compressed Ratio DateTime modified CRC-32   AttrBTPMGVX

------------ ---------- ---------- ----- ----------------- -------- -----------

FOO		      4 	 4 1.000 04-10-13 11:00:04 7E3265A8	 B+0   

------------ ---------- ---------- ----- -----------------
     1 files	      4 	 4 1.000 04-11-09 13:23:52

------- Comment #14 From solar 2004-11-19 06:53:55 0000 -------

Two POC arj's for testing.

------- Comment #15 From solar 2004-11-19 06:55:07 0000 -------

arch arm remains.. SpankY poke poke.

------- Comment #16 From Thierry Carrez (RETIRED) 2004-11-19 14:30:38 0000 -------

GLSA 200411-29
arm should mark stable to benefit from GLSA

First Last Prev Next No search results available Search page Enter new bug

Bugzilla Bug 70966

app-arch/unarj: Filename Handling Buffer Overflow - CAN-2004-0947

Last modified: 2004-12-02 21:59:25 0000