Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 628432 (CVE-2017-14120, CVE-2017-14121, CVE-2017-14122) - app-arch/unrar-gpl: Multiple Vulnerabilities
Summary: app-arch/unrar-gpl: Multiple Vulnerabilities
Alias: CVE-2017-14120, CVE-2017-14121, CVE-2017-14122
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B3 [upstream/cve]
Depends on: 628474
  Show dependency tree
Reported: 2017-08-20 19:40 UTC by Hanno Böck
Modified: 2018-05-05 01:50 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2017-08-20 19:40:29 UTC

unrar-gpl suffers from multiple security issues, notably from a trivial directory traversal vulnerability.

It is unmaintained upstream and not very useful these days (only supports old rarv2 files that are barely used these days, with libarchive another free rar unpacker that is much better maintained is available). Unless someone objects I'll probably just last-rite the package (I'm the Gentoo maintainer of it).
Comment 1 Thomas Deutschmann gentoo-dev 2017-08-21 00:41:58 UTC
Hanno, is this your own work or related to bug 628178 aka
Comment 2 Hanno Böck gentoo-dev 2017-08-21 06:39:25 UTC
@Thomas: This is unrelated. unrar and unrar-gpl have an independent codebase. unrar is a non-free (but source available) tool from RAR upstream, unrar-gpl is a no longer maintained free alternative. bug 628178 is about the non-free unrar.
Comment 3 D'juan McDonald (domhnall) 2017-09-04 00:07:02 UTC

unrar 0.0.1 (aka unrar-free or unrar-gpl) suffers from a directory traversal vulnerability for RAR v2 archives: pathnames of the form ../[filename] are unpacked into the upper directory.
The DecodeNumber function in unrarlib.c in unrar 0.0.1 (aka unrar-free or unrar-gpl) suffers from a NULL pointer dereference flaw triggered by a specially crafted RAR archive.
unrar 0.0.1 (aka unrar-free or unrar-gpl) suffers from a stack-based buffer over-read in unrarlib.c, related to ExtrFile and stricomp.

@maintainer, I'm updating on your report for the cve reference, and noting that upstream is unresponsive or just not interested in package. It's your call to what happens next. 

Daj'Uan (jmbailey/mbailey_j)
Gentoo Security Padawan
Comment 4 Larry the Git Cow gentoo-dev 2018-05-05 01:50:46 UTC
The bug has been closed via the following commit(s):

commit 4e37ce8b9eae1785939058f0d5af4d2e3422b5cc
Author:     Michael Mair-Keimberger <>
AuthorDate: 2018-04-29 08:23:49 +0000
Commit:     Aaron Bauman <>
CommitDate: 2018-05-05 01:43:53 +0000

    app-arch/unrar-gpl: treeclean

 app-arch/unrar-gpl/Manifest                        |  1 -
 .../unrar-gpl/files/unrar-gpl-0.0.1-solaris.patch  | 63 ----------------------
 app-arch/unrar-gpl/metadata.xml                    |  7 ---
 .../unrar-gpl/unrar-gpl-0.0.1_p20080417-r1.ebuild  | 24 ---------
 .../unrar-gpl/unrar-gpl-0.0.1_p20080417-r2.ebuild  | 32 -----------
 profiles/package.mask                              |  5 --
 6 files changed, 132 deletions(-)