First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 70966
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Luke Macken (RETIRED) <lewk@gentoo.org>
Add CC:
CC:
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
unarj-overflow.diff unarj-overflow.diff patch solar 2004-11-12 08:00 0000 1.49 KB Details | Diff
unarj-path.diff unarj-path.diff patch solar 2004-11-12 08:01 0000 2.97 KB Details | Diff
overflow.arj overflow.arj application/octet-stream solar 2004-11-19 06:52 0000 2.06 KB Details
path.arj path.arj application/octet-stream solar 2004-11-19 06:53 0000 143 bytes Details
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 70966 depends on: Show dependency tree
Bug 70966 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2004-11-12 07:53 0000 
TITLE:
UNARJ Filename Handling Buffer Overflow Vulnerability

SECUNIA ADVISORY ID:
SA13177

VERIFY ADVISORY:
http://secunia.com/advisories/13177/

CRITICAL:
Moderately critical

IMPACT:
System access

WHERE:
From remote

SOFTWARE:
UNARJ 2.x
http://secunia.com/product/4036/

DESCRIPTION:
A vulnerability has been reported in UNARJ, which potentially can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a boundary error within the handling of long filenames in archives. This can be exploited to cause a buffer overflow by tricking a user into opening a malicious archive with a specially crafted path.

Successful exploitation may allow execution of arbitrary code.

SOLUTION:
The vendor reports that UNARJ is just a demonstration product and should not be used on production systems.

The vendor recommends users to use ARJ instead.

PROVIDED AND/OR DISCOVERED BY:
First reported in a Fedora advisory.

ORIGINAL ADVISORY:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=138468

------- Comment #1 From solar 2004-11-12 08:00:38 0000 ------- 
Created an attachment (id=43787) [details]
unarj-overflow.diff

patch #1

------- Comment #2 From solar 2004-11-12 08:01:12 0000 ------- 
Created an attachment (id=43788) [details]
unarj-path.diff

patch #2

------- Comment #3 From solar 2004-11-12 08:40:49 0000 ------- 
patches come from Ludwig Nussel <ludwig.nussel.@suse.de>

------- Comment #4 From Sune Kloppenborg Jeppesen 2004-11-12 23:27:21 0000 ------- 
Solar this is unmaintained will you patch?

------- Comment #5 From solar 2004-11-14 19:48:50 0000 ------- 
Using commit message:
------------------------------------------------------------------------------
security bump - CAN-2004-0947 - bug 70966
------------------------------------------------------------------------------

Old:
unarj-2.63a-r1 
KEYWORDS="x86 ppc sparc alpha arm amd64"

New 
unarj-2.63a-r2 
KEYWORDS="~x86 ~ppc ~sparc ~alpha ~arm ~amd64"

Arch maintainers you can do the Hokey-Pokey and turn your arch around.

------- Comment #6 From Jochen Maes (RETIRED) 2004-11-14 23:48:01 0000 ------- 
stable on ppc

------- Comment #7 From Gustavo Zacarias (RETIRED) 2004-11-15 05:21:40 0000 ------- 
sparc stable.

------- Comment #8 From Bryan Østergaard (RETIRED) 2004-11-16 01:23:15 0000 ------- 
Stable on alpha.

------- Comment #9 From Simon Stelling (RETIRED) 2004-11-16 02:54:39 0000 ------- 
stable on amd64

------- Comment #10 From Sune Kloppenborg Jeppesen 2004-11-16 23:33:51 0000 ------- 
x86 please mark stable.

------- Comment #11 From Olivier Crete 2004-11-18 07:27:26 0000 ------- 
sorry for the delay.. its there

------- Comment #12 From solar 2004-11-19 06:52:27 0000 ------- 
Created an attachment (id=44273) [details]
overflow.arj

solar@simple a $ unarj overflow.arj 
UNARJ (Demo version) 2.63 Copyright (c) 1991-2000 ARJ Software, Inc.

Processing archive: overflow.arj
Archive created: 2004-11-08 12:28:06, modified: 2004-11-08 12:30:28

Bad header

------- Comment #13 From solar 2004-11-19 06:53:21 0000 ------- 
Created an attachment (id=44274) [details]
path.arj

solar@simple a $ unarj path.arj 
UNARJ (Demo version) 2.63 Copyright (c) 1991-2000 ARJ Software, Inc.

Processing archive: path.arj
Archive created: 2004-11-09 13:23:52, modified: 2004-11-09 13:23:52
Filename       Original Compressed Ratio DateTime modified CRC-32   AttrBTPMGVX

------------ ---------- ---------- ----- ----------------- -------- -----------

FOO		      4 	 4 1.000 04-10-13 11:00:04 7E3265A8	 B+0   

------------ ---------- ---------- ----- -----------------
     1 files	      4 	 4 1.000 04-11-09 13:23:52

------- Comment #14 From solar 2004-11-19 06:53:55 0000 ------- 
Two POC arj's for testing.

------- Comment #15 From solar 2004-11-19 06:55:07 0000 ------- 
arch arm remains.. SpankY poke poke.

------- Comment #16 From Thierry Carrez (RETIRED) 2004-11-19 14:30:38 0000 ------- 
GLSA 200411-29
arm should mark stable to benefit from GLSA
First Last Prev Next    No search results available      Search page      Enter new bug