628432 – (CVE-2017-14120, CVE-2017-14121, CVE-2017-14122) app-arch/unrar-gpl: Multiple Vulnerabilities

Bug 628432 (CVE-2017-14120, CVE-2017-14121, CVE-2017-14122) - app-arch/unrar-gpl: Multiple Vulnerabilities

Summary: app-arch/unrar-gpl: Multiple Vulnerabilities

Status:	RESOLVED FIXED

Alias:	CVE-2017-14120, CVE-2017-14121, CVE-2017-14122

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	http://www.openwall.com/lists/oss-sec...
Whiteboard:	B3 [upstream/cve]
Keywords:

Depends on:	628474
Blocks:
	Show dependency tree

Reported:	2017-08-20 19:40 UTC by Hanno Böck
Modified:	2018-05-05 01:50 UTC (History)
CC List:	0 users

See Also:	https://github.com/gentoo/gentoo/pull/8196
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Hanno Böck gentoo-dev

2017-08-20 19:40:29 UTC

See:
http://www.openwall.com/lists/oss-security/2017/08/20/1

unrar-gpl suffers from multiple security issues, notably from a trivial directory traversal vulnerability.

It is unmaintained upstream and not very useful these days (only supports old rarv2 files that are barely used these days, with libarchive another free rar unpacker that is much better maintained is available). Unless someone objects I'll probably just last-rite the package (I'm the Gentoo maintainer of it).

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev

2017-08-21 00:41:58 UTC

Hanno, is this your own work or related to bug 628178 aka http://seclists.org/oss-sec/2017/q3/290?

Comment 2 Hanno Böck gentoo-dev

2017-08-21 06:39:25 UTC

@Thomas: This is unrelated. unrar and unrar-gpl have an independent codebase. unrar is a non-free (but source available) tool from RAR upstream, unrar-gpl is a no longer maintained free alternative. bug 628178 is about the non-free unrar.

Comment 3 D'juan McDonald (domhnall) 2017-09-04 00:07:02 UTC

Update:

(https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14120)
unrar 0.0.1 (aka unrar-free or unrar-gpl) suffers from a directory traversal vulnerability for RAR v2 archives: pathnames of the form ../[filename] are unpacked into the upper directory.

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14121
The DecodeNumber function in unrarlib.c in unrar 0.0.1 (aka unrar-free or unrar-gpl) suffers from a NULL pointer dereference flaw triggered by a specially crafted RAR archive.

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14122
unrar 0.0.1 (aka unrar-free or unrar-gpl) suffers from a stack-based buffer over-read in unrarlib.c, related to ExtrFile and stricomp.

@maintainer, I'm updating on your report for the cve reference, and noting that upstream is unresponsive or just not interested in package. It's your call to what happens next. 

Daj'Uan (jmbailey/mbailey_j)
Gentoo Security Padawan

Comment 4 Larry the Git Cow gentoo-dev

2018-05-05 01:50:46 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4e37ce8b9eae1785939058f0d5af4d2e3422b5cc

commit 4e37ce8b9eae1785939058f0d5af4d2e3422b5cc
Author:     Michael Mair-Keimberger <m.mairkeimberger@gmail.com>
AuthorDate: 2018-04-29 08:23:49 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2018-05-05 01:43:53 +0000

    app-arch/unrar-gpl: treeclean
    
    Closes: https://bugs.gentoo.org/628432
    Closes: https://github.com/gentoo/gentoo/pull/8196

 app-arch/unrar-gpl/Manifest                        |  1 -
 .../unrar-gpl/files/unrar-gpl-0.0.1-solaris.patch  | 63 ----------------------
 app-arch/unrar-gpl/metadata.xml                    |  7 ---
 .../unrar-gpl/unrar-gpl-0.0.1_p20080417-r1.ebuild  | 24 ---------
 .../unrar-gpl/unrar-gpl-0.0.1_p20080417-r2.ebuild  | 32 -----------
 profiles/package.mask                              |  5 --
 6 files changed, 132 deletions(-)