Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 628432 (CVE-2017-14120, CVE-2017-14121, CVE-2017-14122) - app-arch/unrar-gpl: Multiple Vulnerabilities
Summary: app-arch/unrar-gpl: Multiple Vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2017-14120, CVE-2017-14121, CVE-2017-14122
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [upstream/cve]
Keywords:
Depends on: 628474
Blocks:
  Show dependency tree
 
Reported: 2017-08-20 19:40 UTC by Hanno Böck
Modified: 2018-05-05 01:50 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2017-08-20 19:40:29 UTC
See:
http://www.openwall.com/lists/oss-security/2017/08/20/1

unrar-gpl suffers from multiple security issues, notably from a trivial directory traversal vulnerability.

It is unmaintained upstream and not very useful these days (only supports old rarv2 files that are barely used these days, with libarchive another free rar unpacker that is much better maintained is available). Unless someone objects I'll probably just last-rite the package (I'm the Gentoo maintainer of it).
Comment 1 Thomas Deutschmann gentoo-dev Security 2017-08-21 00:41:58 UTC
Hanno, is this your own work or related to bug 628178 aka http://seclists.org/oss-sec/2017/q3/290?
Comment 2 Hanno Böck gentoo-dev 2017-08-21 06:39:25 UTC
@Thomas: This is unrelated. unrar and unrar-gpl have an independent codebase. unrar is a non-free (but source available) tool from RAR upstream, unrar-gpl is a no longer maintained free alternative. bug 628178 is about the non-free unrar.
Comment 3 D'juan McDonald (domhnall) 2017-09-04 00:07:02 UTC
Update:

(https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14120)
unrar 0.0.1 (aka unrar-free or unrar-gpl) suffers from a directory traversal vulnerability for RAR v2 archives: pathnames of the form ../[filename] are unpacked into the upper directory.

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14121
The DecodeNumber function in unrarlib.c in unrar 0.0.1 (aka unrar-free or unrar-gpl) suffers from a NULL pointer dereference flaw triggered by a specially crafted RAR archive.

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14122
unrar 0.0.1 (aka unrar-free or unrar-gpl) suffers from a stack-based buffer over-read in unrarlib.c, related to ExtrFile and stricomp.

@maintainer, I'm updating on your report for the cve reference, and noting that upstream is unresponsive or just not interested in package. It's your call to what happens next. 

Daj'Uan (jmbailey/mbailey_j)
Gentoo Security Padawan
Comment 4 Larry the Git Cow gentoo-dev 2018-05-05 01:50:46 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4e37ce8b9eae1785939058f0d5af4d2e3422b5cc

commit 4e37ce8b9eae1785939058f0d5af4d2e3422b5cc
Author:     Michael Mair-Keimberger <m.mairkeimberger@gmail.com>
AuthorDate: 2018-04-29 08:23:49 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2018-05-05 01:43:53 +0000

    app-arch/unrar-gpl: treeclean
    
    Closes: https://bugs.gentoo.org/628432
    Closes: https://github.com/gentoo/gentoo/pull/8196

 app-arch/unrar-gpl/Manifest                        |  1 -
 .../unrar-gpl/files/unrar-gpl-0.0.1-solaris.patch  | 63 ----------------------
 app-arch/unrar-gpl/metadata.xml                    |  7 ---
 .../unrar-gpl/unrar-gpl-0.0.1_p20080417-r1.ebuild  | 24 ---------
 .../unrar-gpl/unrar-gpl-0.0.1_p20080417-r2.ebuild  | 32 -----------
 profiles/package.mask                              |  5 --
 6 files changed, 132 deletions(-)