--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: wheezy-pu: package unrar-nonfree/1:4.1.4-1+deb7u1
- From: Felix Geyer <fgeyer@debian.org>
- Date: Tue, 28 Apr 2015 22:06:33 +0200
- Message-id: <20150428200633.25084.32022.reportbug@localhost6.localdomain6>
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
unrar-nonfree is affected by a symlink directory traversal vulnerability,
see bug #774171.
(wheezy is currenctly incorrectly marked as <not-affected> in the security tracker.)
Attached is a debdiff that has a backport of the upstream fix.
Cheers,
Felix
diff -Nru unrar-nonfree-4.1.4/debian/changelog unrar-nonfree-4.1.4/debian/changelog
--- unrar-nonfree-4.1.4/debian/changelog 2012-02-14 23:40:11.000000000 +0100
+++ unrar-nonfree-4.1.4/debian/changelog 2015-04-28 21:39:45.000000000 +0200
@@ -1,3 +1,10 @@
+unrar-nonfree (1:4.1.4-1+deb7u1) wheezy; urgency=medium
+
+ * Fix a symlink directory traversal vulnerability (Closes: #774171)
+ - Add debian/patches/fix-dir-traversal
+
+ -- Felix Geyer <fgeyer@debian.org> Tue, 28 Apr 2015 21:38:08 +0200
+
unrar-nonfree (1:4.1.4-1) unstable; urgency=low
* New upstream release
diff -Nru unrar-nonfree-4.1.4/debian/patches/fix-dir-traversal unrar-nonfree-4.1.4/debian/patches/fix-dir-traversal
--- unrar-nonfree-4.1.4/debian/patches/fix-dir-traversal 1970-01-01 01:00:00.000000000 +0100
+++ unrar-nonfree-4.1.4/debian/patches/fix-dir-traversal 2015-04-28 21:44:33.000000000 +0200
@@ -0,0 +1,120 @@
+Description: Fix a symlink directory traversal vulnerability.
+ Backported from version 5.2.7.
+Bug-Debian: https://bugs.debian.org/774171
+
+--- unrar-nonfree-4.1.4.orig/cmddata.cpp
++++ unrar-nonfree-4.1.4/cmddata.cpp
+@@ -538,6 +538,8 @@ void CommandData::ProcessSwitch(const ch
+ #ifdef SAVE_LINKS
+ case 'L':
+ SaveLinks=true;
++ if (etoupper(Switch[2])=='A')
++ AbsoluteLinks=true;
+ break;
+ #endif
+ #ifdef _WIN_ALL
+--- unrar-nonfree-4.1.4.orig/extract.cpp
++++ unrar-nonfree-4.1.4/extract.cpp
+@@ -856,7 +856,7 @@ bool CmdExtract::ExtractCurrentFile(Comm
+ CurFile.SetAllowDelete(!Cmd->KeepBroken);
+
+ bool LinkCreateMode=!Cmd->Test && !SkipSolid;
+- if (ExtractLink(DataIO,Arc,DestFileName,DataIO.UnpFileCRC,LinkCreateMode))
++ if (ExtractLink(Cmd,DataIO,Arc,DestFileName,DataIO.UnpFileCRC,LinkCreateMode))
+ PrevExtracted=LinkCreateMode;
+ else
+ if ((Arc.NewLhd.Flags & LHD_SPLIT_BEFORE)==0)
+--- unrar-nonfree-4.1.4.orig/loclang.hpp
++++ unrar-nonfree-4.1.4/loclang.hpp
+@@ -99,7 +99,7 @@
+ #define MCHelpSwNal "\n n@<list> Include files listed in specified list file"
+ #define MCHelpSwO "\n o[+|-] Set the overwrite mode"
+ #define MCHelpSwOC "\n oc Set NTFS Compressed attribute"
+-#define MCHelpSwOL "\n ol Save symbolic links as the link instead of the file"
++#define MCHelpSwOL "\n ol[a] Process symbolic links as the link [absolute paths]"
+ #define MCHelpSwOR "\n or Rename files automatically"
+ #define MCHelpSwOS "\n os Save NTFS streams"
+ #define MCHelpSwOW "\n ow Save or restore file owner and group"
+--- unrar-nonfree-4.1.4.orig/options.hpp
++++ unrar-nonfree-4.1.4/options.hpp
+@@ -116,6 +116,7 @@ class RAROptions
+ int ConvertNames;
+ bool ProcessOwners;
+ bool SaveLinks;
++ bool AbsoluteLinks;
+ int Priority;
+ int SleepTime;
+ bool KeepBroken;
+--- unrar-nonfree-4.1.4.orig/ulinks.cpp
++++ unrar-nonfree-4.1.4/ulinks.cpp
+@@ -2,7 +2,44 @@
+
+
+
+-bool ExtractLink(ComprDataIO &DataIO,Archive &Arc,const char *LinkName,uint &LinkCRC,bool Create)
++static bool IsFullRootPath(const char *PathA) // Unix ASCII version.
++{
++ return *PathA==CPATHDIVIDER;
++}
++
++
++static bool IsRelativeSymlinkSafe(const char *SrcName,const char *TargetName)
++{
++ if (IsFullRootPath(SrcName))
++ return false;
++ int AllowedDepth=0;
++ while (*SrcName!=0)
++ {
++ if (IsPathDiv(SrcName[0]) && SrcName[1]!=0 && !IsPathDiv(SrcName[1]))
++ {
++ bool Dot=SrcName[1]=='.' && (IsPathDiv(SrcName[2]) || SrcName[2]==0);
++ bool Dot2=SrcName[1]=='.' && SrcName[2]=='.' && (IsPathDiv(SrcName[3]) || SrcName[3]==0);
++ if (!Dot && !Dot2)
++ AllowedDepth++;
++ }
++ SrcName++;
++ }
++ if (IsFullRootPath(TargetName)) // Catch root dir based /path/file paths.
++ return false;
++ for (int Pos=0;*TargetName!=0;Pos++)
++ {
++ bool Dot2=TargetName[0]=='.' && TargetName[1]=='.' &&
++ (IsPathDiv(TargetName[2]) || TargetName[2]==0) &&
++ (Pos==0 || IsPathDiv(*(TargetName-1)));
++ if (Dot2)
++ AllowedDepth--;
++ TargetName++;
++ }
++ return AllowedDepth>=0;
++}
++
++
++bool ExtractLink(CommandData *Cmd,ComprDataIO &DataIO,Archive &Arc,const char *LinkName,uint &LinkCRC,bool Create)
+ {
+ #if defined(SAVE_LINKS) && defined(_UNIX)
+ char LinkTarget[NM];
+@@ -13,6 +50,13 @@ bool ExtractLink(ComprDataIO &DataIO,Arc
+ LinkTarget[DataSize]=0;
+ if (Create)
+ {
++ if (!Cmd->AbsoluteLinks && (IsFullRootPath(LinkTarget) ||
++ !IsRelativeSymlinkSafe(Arc.FileName,LinkTarget))) {
++ int NameSize=Min(DataSize,strlen(LinkTarget));
++ LinkCRC=CRC(0xffffffff,LinkTarget,NameSize);
++ return(false);
++ }
++
+ CreatePath(LinkName,NULL,true);
+ if (symlink(LinkTarget,LinkName)==-1) // Error.
+ if (errno==EEXIST)
+--- unrar-nonfree-4.1.4.orig/ulinks.hpp
++++ unrar-nonfree-4.1.4/ulinks.hpp
+@@ -3,7 +3,7 @@
+
+ void SaveLinkData(ComprDataIO &DataIO,Archive &TempArc,FileHeader &hd,
+ const char *Name);
+-bool ExtractLink(ComprDataIO &DataIO,Archive &Arc,const char *LinkName,
++bool ExtractLink(CommandData *Cmd,ComprDataIO &DataIO,Archive &Arc,const char *LinkName,
+ uint &LinkCRC,bool Create);
+
+ #endif
diff -Nru unrar-nonfree-4.1.4/debian/patches/series unrar-nonfree-4.1.4/debian/patches/series
--- unrar-nonfree-4.1.4/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ unrar-nonfree-4.1.4/debian/patches/series 2015-04-28 21:44:26.000000000 +0200
@@ -0,0 +1 @@
+fix-dir-traversal
--- End Message ---