Bug#642028: marked as done (theunarchiver: directory traversal vulnerability)

Tue, 04 Oct 2011 23:06:19 -0700 

Your message dated Wed, 05 Oct 2011 06:03:12 +0000
with message-id <e1rbkzu-00029t...@franck.debian.org>
and subject line Bug#642028: fixed in theunarchiver 2.7.1-2
has caused the Debian Bug report #642028,
regarding theunarchiver: directory traversal vulnerability
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
642028: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642028
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: theunarchiver
Version: 2.7.1-1
Severity: grave
Tags: security
Justification: user security hole
theunarchiver is affected by a directory traversal vulnerability. It can be tricked by a specially crafted .tar file to unpack stuff into an arbitrary directory. 

Proof of concept:

$ ls -l /tmp/punt
/bin/ls: cannot access /tmp/punt: No such file or directory

$ pwd
/home/jwilk/traversal-test

$ unar traversal.tar.gz
Extracting traversal.tar.gz...
  traversal.tar (?)...
    root (link)... Failed! (Unknown error)
    root (dir)... OK.
    root/tmp (dir)... OK.
    root/tmp/punt (0)... OK.
  Failed! (Unknown error)

$ ls -l /tmp/punt
-rw-r--r-- 1 jwilk users 0 Sep 18 17:00 /tmp/punt


-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)

Kernel: Linux 3.0.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages theunarchiver depends on:
ii gnustep-base-runtime 1.22.1-1 ii libbz2-1.0 1.0.5-7 ii libc6 2.13-21 ii libgcc1 1:4.6.1-11 ii libgnustep-base1.22 1.22.1-1 ii libicu44 4.4.2-2 ii libobjc3 4.6.1-11 ii libssl1.0.0 1.0.0e-2 ii libstdc++6 4.6.1-11 ii zlib1g 1:1.2.5.dfsg-1 

--
Jakub Wilk

--- End Message ---
--- Begin Message --- 
Source: theunarchiver
Source-Version: 2.7.1-2

We believe that the bug you reported is fixed in the latest version of
theunarchiver, which is due to be installed in the Debian FTP archive:

theunarchiver_2.7.1-2.debian.tar.bz2
  to main/t/theunarchiver/theunarchiver_2.7.1-2.debian.tar.bz2
theunarchiver_2.7.1-2.dsc
  to main/t/theunarchiver/theunarchiver_2.7.1-2.dsc
theunarchiver_2.7.1-2_amd64.deb
  to main/t/theunarchiver/theunarchiver_2.7.1-2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 642...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Matt Kraai <kr...@debian.org> (supplier of updated theunarchiver package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 04 Oct 2011 22:52:58 -0700
Source: theunarchiver
Binary: theunarchiver
Architecture: source amd64
Version: 2.7.1-2
Distribution: unstable
Urgency: low
Maintainer: Matt Kraai <kr...@debian.org>
Changed-By: Matt Kraai <kr...@debian.org>
Description: 
 theunarchiver - Unarchiver for a variety of file formats
Closes: 642028 642037
Changes: 
 theunarchiver (2.7.1-2) unstable; urgency=low
 .
   * Do not use standalone License paragraphs in debian/copyright.
   * Add Asias He and Julián Moreno Patiño to debian/copyright.
   * Add debian/watch.
   * Update the description of the -nr option in unar.1, thanks to Jason
     Woofenden <ja...@jasonwoof.com>, closes: #642037.
   * Override dh_auto_clean and remove debian/clean.
   * Run the test suite.
   * Define reallocf on GNU Hurd.
   * Remove debian/source/local-options.
   * Backport upstream's fix to handle links safely, closes: #642028.
Checksums-Sha1: 
 e60546113923df2fd63eb3bb3d3de216ffcd7664 1451 theunarchiver_2.7.1-2.dsc
 62aec3f176e6df906f41c8131bba68bbbeee7433 15668 
theunarchiver_2.7.1-2.debian.tar.bz2
 e3e543767daa49bbcf0103eeecc520971e7ed461 1765336 
theunarchiver_2.7.1-2_amd64.deb
Checksums-Sha256: 
 bdc44c0081f94956fdc42703d3df618a69b2a554fb3e36c66f5bdb428a2c3e4b 1451 
theunarchiver_2.7.1-2.dsc
 e4fb0315658a9e82dac9dcbc8211c9d27636ac7043aff7edd319320bd08bc909 15668 
theunarchiver_2.7.1-2.debian.tar.bz2
 b77a1ddbea3d225eafb98a397d2f8566923a789e9dc406af9b2e5d760687acc1 1765336 
theunarchiver_2.7.1-2_amd64.deb
Files: 
 7f0615eda0eca81e8ec85a86bb90c055 1451 utils optional theunarchiver_2.7.1-2.dsc
 ad767a8e345c619762d54117b913d1b5 15668 utils optional 
theunarchiver_2.7.1-2.debian.tar.bz2
 72ff391f7b1f2e8abbdb02cef7f25062 1765336 utils optional 
theunarchiver_2.7.1-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk6L8YwACgkQfNdgYxVXvBBzkgCfTvO4AIrMCEuoenhQzTv5k2qt
+2sAn1znB8FD8aV6KYcSkuFr7BOR4OI8
=AB59
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to