Re: unrar-free: CVE-2017-14120: directory traversal vulnerability
tags 874059 + patch
thanks
Patch attached.
It includes autopkgtests checking this CVE and a smoketest of a
regular (ie. non-exploit) extraction to prevent a regression.
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
diff --git a/debian/tests/0001-smoketest b/debian/tests/0001-smoketest
new file mode 100755
index 0000000..be5e756
--- /dev/null
+++ b/debian/tests/0001-smoketest
@@ -0,0 +1,35 @@
+#!/bin/sh
+#
+# Simple smoketest of unrar extraction
+
+setUp() {
+ uudecode >archive.rar <<EOF
+begin-base64 644 -
+UmFyIRoHAM+QcwAADQAAAAAAAACRAHSAgCgAIgEAACACAAAD/TwH77wMJjEU
+MwgApIEAAGNsYW0uZXhlCcFZTMgAAAAc1+kYULWtszouCt0cW/3wCyWsye2n
+RguDS4S0kpcrL/Ckuag5oPiSg4XBFBJ4AvgNycVB2XFyiRkW0V72ztCr4Bcu
+B8d59wPudOc8U/fcy4cx+8BpcIwPB8QCODjnz9RDySYkGsD35zzsto5FTmxj
+5fRVUfTtJS0GOfB7dcwGtToG4wzG2O36fn4uYYffJwif60WIcezfkH69OKhK
+xdyP9cmyb8X+TxO96u7mG6pvU1BTpu3uCF8FGrN4dy1XXu3Q31cdGXoiTpES
+WsL0LTSYeRmueQDUdCO/CFqK1DM5+Ac3Hp/cmqSlHyFAmkXjJiUGuU5a4ONx
+6QRICbOWzHof7owJl9N++fCuQsvDR4qFpNPgqgaL58LetsA=
+====
+EOF
+}
+
+tearDown() {
+ rm -f archive.tar clam.exe
+}
+
+testList() {
+ unrar-free --list archive.rar
+ assertEquals "Status code" $? 0
+}
+
+testExtract() {
+ unrar-free --extract archive.rar
+ assertEquals "Status code" $? 0
+ assertTrue "File exists" "[ -e clam.exe ]"
+}
+
+. /usr/bin/shunit2
diff --git a/debian/tests/0002-CVE-2017-14120 b/debian/tests/0002-CVE-2017-14120
new file mode 100755
index 0000000..740cd90
--- /dev/null
+++ b/debian/tests/0002-CVE-2017-14120
@@ -0,0 +1,30 @@
+#!/bin/sh
+#
+# Test CVE-2017-14120
+
+setUp() {
+ uudecode >archive.rar <<EOF
+begin-base64 644 -
+UmFyIRoHAM+QcwAADQAAAAAAAABvvXQAgCUABQAAAAUAAAAAm7HC/4+CR0YU
+MAUAIAAAAC4uL3h4YWFiDQo=
+====
+EOF
+}
+
+tearDown() {
+ rm -f archive.tar ../xx
+}
+
+testList() {
+ unrar-free --list archive.rar
+ assertEquals "Status code" $? 0
+}
+
+testExtract() {
+ unrar-free --extract archive.rar
+ assertNotEquals "Status code" $? 0
+ assertFalse "File does not exist" "-e ../xx"
+}
+
+
+. /usr/bin/shunit2
diff --git a/debian/tests/control b/debian/tests/control
new file mode 100644
index 0000000..9aa54dd
--- /dev/null
+++ b/debian/tests/control
@@ -0,0 +1,7 @@
+Tests: 0001-smoketest
+Depends: @, sharutils
+Restrictions: allow-stderr
+
+Tests: 0002-CVE-2017-14120
+Depends: @, sharutils
+Restrictions: allow-stderr
diff --git a/src/unrar.c b/src/unrar.c
index a709ba0..b644180 100644
--- a/src/unrar.c
+++ b/src/unrar.c
@@ -362,6 +362,11 @@ unrar_extract_file (struct unrar_arguments_t *unrar, char *filename,
error (0, 0, "asprintf failed: %m\n");
return 0;
}
+ if (!strncmp ("../", file, strlen("../")) || strstr (file, "/../"))
+ {
+ error (0, 0, "archive contains unsafe filename: '%s'\n", file);
+ return -1;
+ }
//where do i put it? in destination.
if (unrar->extract_newer)
{
Reply to: