Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 628432 (CVE-2017-14120, CVE-2017-14121, CVE-2017-14122)

Summary: app-arch/unrar-gpl: Multiple Vulnerabilities
Product: Gentoo Security Reporter: Hanno Böck <hanno>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2017/08/20/1
See Also: https://github.com/gentoo/gentoo/pull/8196
Whiteboard: B3 [upstream/cve]
Package list:
Runtime testing required: ---
Bug Depends on: 628474    
Bug Blocks:    

Description Hanno Böck gentoo-dev 2017-08-20 19:40:29 UTC 
See:
http://www.openwall.com/lists/oss-security/2017/08/20/1

unrar-gpl suffers from multiple security issues, notably from a trivial directory traversal vulnerability.

It is unmaintained upstream and not very useful these days (only supports old rarv2 files that are barely used these days, with libarchive another free rar unpacker that is much better maintained is available). Unless someone objects I'll probably just last-rite the package (I'm the Gentoo maintainer of it).
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2017-08-21 00:41:58 UTC 
Hanno, is this your own work or related to bug 628178 aka http://seclists.org/oss-sec/2017/q3/290?
Comment 2 Hanno Böck gentoo-dev 2017-08-21 06:39:25 UTC 
@Thomas: This is unrelated. unrar and unrar-gpl have an independent codebase. unrar is a non-free (but source available) tool from RAR upstream, unrar-gpl is a no longer maintained free alternative. bug 628178 is about the non-free unrar.
Comment 3 D'juan McDonald (domhnall) 2017-09-04 00:07:02 UTC 
Update:

(https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14120)
unrar 0.0.1 (aka unrar-free or unrar-gpl) suffers from a directory traversal vulnerability for RAR v2 archives: pathnames of the form ../[filename] are unpacked into the upper directory.

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14121
The DecodeNumber function in unrarlib.c in unrar 0.0.1 (aka unrar-free or unrar-gpl) suffers from a NULL pointer dereference flaw triggered by a specially crafted RAR archive.

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14122
unrar 0.0.1 (aka unrar-free or unrar-gpl) suffers from a stack-based buffer over-read in unrarlib.c, related to ExtrFile and stricomp.

@maintainer, I'm updating on your report for the cve reference, and noting that upstream is unresponsive or just not interested in package. It's your call to what happens next. 

Daj'Uan (jmbailey/mbailey_j)
Gentoo Security Padawan
Comment 4 Larry the Git Cow gentoo-dev 2018-05-05 01:50:46 UTC 
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4e37ce8b9eae1785939058f0d5af4d2e3422b5cc

commit 4e37ce8b9eae1785939058f0d5af4d2e3422b5cc
Author:     Michael Mair-Keimberger <m.mairkeimberger@gmail.com>
AuthorDate: 2018-04-29 08:23:49 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2018-05-05 01:43:53 +0000

    app-arch/unrar-gpl: treeclean
    
    Closes: https://bugs.gentoo.org/628432
    Closes: https://github.com/gentoo/gentoo/pull/8196

 app-arch/unrar-gpl/Manifest                        |  1 -
 .../unrar-gpl/files/unrar-gpl-0.0.1-solaris.patch  | 63 ----------------------
 app-arch/unrar-gpl/metadata.xml                    |  7 ---
 .../unrar-gpl/unrar-gpl-0.0.1_p20080417-r1.ebuild  | 24 ---------
 .../unrar-gpl/unrar-gpl-0.0.1_p20080417-r2.ebuild  | 32 -----------
 profiles/package.mask                              |  5 --
 6 files changed, 132 deletions(-)