Package: arj Version: 3.10.22-12 Tags: securityTo protect from directory traversals, ARJ strips leading slash from the path when unpacking stuff. But this protection can be easily bypassed by stuffing more than one leading slash to the path:
$ pwd
/home/jwilk
$ arj x traversal-slash-slash.arj
ARJ32 v 3.10, Copyright (c) 1998-2004, ARJ Software Russia. [08 Aug 2014]
Processing archive: traversal-slash-slash.arj
Archive created: 2015-01-02 18:11:00, modified: 2015-01-02 18:11:00
Extracting //tmp/moo to /tmp/moo OK
1 file(s)
$ ls -l /tmp/moo
-rw-r--r-- 1 jwilk jwilk 4 Jan 2 18:11 /tmp/moo
The script I used to create the test case is available at:
https://bitbucket.org/jwilk/path-traversal-samples
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages arj depends on:
ii libc6 2.19-13
--
Jakub Wilk
traversal-slash-slash.arj
Description: Binary data
