Package: rar Version: 2:4.2.0-1 Tags: securityRAR follows symlinks when unpacking stuff, even the symlinks that were created during the same unpack process. It is therefore possible to create a malicious RAR archive that will be unpacked into arbitrary directory outside cwd.
Proof of concept: $ pwd /home/jwilk $ rar x traversal.rar RAR 4.20 Copyright (c) 1993-2012 Alexander Roshal 9 Jun 2012 Trial version Type RAR -? for help Extracting from traversal.rar Extracting tmp OK Extracting tmp/moo OK All OK $ ls -l /tmp/moo -rw-r--r-- 1 jwilk jwilk 4 Dec 29 21:41 /tmp/moo -- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -- Jakub Wilk
traversal.rar
Description: application/rar
