TITLE: UNARJ Filename Handling Buffer Overflow Vulnerability SECUNIA ADVISORY ID: SA13177 VERIFY ADVISORY: http://secunia.com/advisories/13177/ CRITICAL: Moderately critical IMPACT: System access WHERE: From remote SOFTWARE: UNARJ 2.x http://secunia.com/product/4036/ DESCRIPTION: A vulnerability has been reported in UNARJ, which potentially can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error within the handling of long filenames in archives. This can be exploited to cause a buffer overflow by tricking a user into opening a malicious archive with a specially crafted path. Successful exploitation may allow execution of arbitrary code. SOLUTION: The vendor reports that UNARJ is just a demonstration product and should not be used on production systems. The vendor recommends users to use ARJ instead. PROVIDED AND/OR DISCOVERED BY: First reported in a Fedora advisory. ORIGINAL ADVISORY: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=138468
Created attachment 43787 [details, diff] unarj-overflow.diff patch #1
Created attachment 43788 [details, diff] unarj-path.diff patch #2
patches come from Ludwig Nussel <ludwig.nussel.@suse.de>
Solar this is unmaintained will you patch?
Using commit message: ------------------------------------------------------------------------------ security bump - CAN-2004-0947 - bug 70966 ------------------------------------------------------------------------------ Old: unarj-2.63a-r1 KEYWORDS="x86 ppc sparc alpha arm amd64" New unarj-2.63a-r2 KEYWORDS="~x86 ~ppc ~sparc ~alpha ~arm ~amd64" Arch maintainers you can do the Hokey-Pokey and turn your arch around.
stable on ppc
sparc stable.
Stable on alpha.
stable on amd64
x86 please mark stable.
sorry for the delay.. its there
Created attachment 44273 [details] overflow.arj solar@simple a $ unarj overflow.arj UNARJ (Demo version) 2.63 Copyright (c) 1991-2000 ARJ Software, Inc. Processing archive: overflow.arj Archive created: 2004-11-08 12:28:06, modified: 2004-11-08 12:30:28 Bad header
Created attachment 44274 [details] path.arj solar@simple a $ unarj path.arj UNARJ (Demo version) 2.63 Copyright (c) 1991-2000 ARJ Software, Inc. Processing archive: path.arj Archive created: 2004-11-09 13:23:52, modified: 2004-11-09 13:23:52 Filename Original Compressed Ratio DateTime modified CRC-32 AttrBTPMGVX ------------ ---------- ---------- ----- ----------------- -------- ----------- FOO 4 4 1.000 04-10-13 11:00:04 7E3265A8 B+0 ------------ ---------- ---------- ----- ----------------- 1 files 4 4 1.000 04-11-09 13:23:52
Two POC arj's for testing.
arch arm remains.. SpankY poke poke.
GLSA 200411-29 arm should mark stable to benefit from GLSA