On Thu, 12 Feb 2015 16:41:56 +0100 Moritz Muehlenhoff <j...@inutil.org> wrote: > On Mon, Dec 29, 2014 at 10:29:10PM +0100, Jakub Wilk wrote: > > Package: unrar > > Version: 1:5.0.10-1 > > Tags: security > > > > UNRAR follows symlinks when unpacking stuff, even the symlinks that > > were created during the same unpack process. > > It is therefore possible to create a malicious RAR archive that will > > be unpacked into arbitrary directory outside cwd. > > > > Proof of concept: > > > > $ pwd > > /home/jwilk > > > > $ unrar x traversal.rar > > > > UNRAR 5.00 beta 8 freeware Copyright (c) 1993-2013 Alexander Roshal > > > > > > Extracting from traversal.rar > > > > Extracting tmp OK > > Extracting tmp/moo OK > > All OK > > > > $ ls -l /tmp/moo > > -rw-r--r-- 1 jwilk jwilk 4 Dec 29 21:41 /tmp/moo > > Martin, did you forward this (and the related issue in rar-nonfree) upstream?
It looks like upstream attempted to fix / work around the issue. >From the WinRAR Version 5.21 changelog: > 4. Now by default WinRAR skips symbolic links with absolute paths > in link target when extracting. You can enable creating such links > with "Allow absolute paths in symbolic links" option on "Advanced" > page of extraction dialog or with -ola command line switch. > > Such links pointing to folders outside of extraction destination > folder can present a security risk. Enable their extraction only > if you are sure that archive contents is safe, such as your own backup. The -ola switch and related changes are part of 5.2.5 but I can still reproduce the problem with this version. Cheers, Felix -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
