Bug#874059: marked as done (unrar-free: CVE-2017-14120: directory traversal vulnerability)

[Debian Bug Tracking System]

Your message dated Thu, 07 Sep 2017 09:34:58 +0000
with message-id <e1dptd8-000766...@fasolo.debian.org>
and subject line Bug#874059: fixed in unrar-free 1:0.0.1+cvs20140707-2
has caused the Debian Bug report #874059,
regarding unrar-free: CVE-2017-14120: directory traversal vulnerability
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
874059: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=874059
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: unrar-free
Version: 1:0.0.1+cvs20140707-1
Severity: grave
Tags: security upstream

Hi

>From http://www.openwall.com/lists/oss-security/2017/08/20/1

Issue 1: Directory Traversal

Creating a rar v2 archive with path names of the form ../[filename]
will unpack them into the upper directory.

Attached Hanno's POC.

Regards,
Salvatore

unrar-gpl-directory-traversal.rar
Description: application/rar

--- End Message ---

--- Begin Message ---

Source: unrar-free
Source-Version: 1:0.0.1+cvs20140707-2

We believe that the bug you reported is fixed in the latest version of
unrar-free, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 874...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ying-Chun Liu (PaulLiu) <paul...@debian.org> (supplier of updated unrar-free 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 07 Sep 2017 13:14:41 +0800
Source: unrar-free
Binary: unrar-free
Architecture: source amd64
Version: 1:0.0.1+cvs20140707-2
Distribution: unstable
Urgency: low
Maintainer: Ying-Chun Liu (PaulLiu) <paul...@debian.org>
Changed-By: Ying-Chun Liu (PaulLiu) <paul...@debian.org>
Description:
 unrar-free - Unarchiver for .rar files
Closes: 874059
Changes:
 unrar-free (1:0.0.1+cvs20140707-2) unstable; urgency=low
 .
   [ Chris Lamb <la...@debian.org> ]
   * Fix CVE-2017-14120 (Closes: #874059)
   * Add autopkgtest for testing CVE-2017-14120
 .
   [ Ying-Chun Liu (PaulLiu) <paul...@debian.org> ]
   * Bump Standards-Version to 4.0.0: Nothing needs to be changed
   * debian/control: Add pike8.0 to Suggests
Checksums-Sha1:
 7846dd62415e4130e4e2bc74e8337ce7049b9c29 1975 
unrar-free_0.0.1+cvs20140707-2.dsc
 f50005c265355d2fd77cdc9a34b7638c429a1ddf 7084 
unrar-free_0.0.1+cvs20140707-2.debian.tar.xz
 c43ecded0613d24f18d469c2cd04afad8bd611df 38792 
unrar-free-dbgsym_0.0.1+cvs20140707-2_amd64.deb
 5dc49872f88ff3f2ae2cc3ec05aa3b472986372d 6233 
unrar-free_0.0.1+cvs20140707-2_amd64.buildinfo
 d8dc4ff9fef227f6a35e68f2f3e0886e7b6892a1 24926 
unrar-free_0.0.1+cvs20140707-2_amd64.deb
Checksums-Sha256:
 4f68e7bd7ca56ade111d44f1c7c501641a0a4aec3da899d88bd4d4316b55876e 1975 
unrar-free_0.0.1+cvs20140707-2.dsc
 4ebe7029df349009a6925b905d2c9e310aaaf0d682f9a92f7cb3e9ad18cd5736 7084 
unrar-free_0.0.1+cvs20140707-2.debian.tar.xz
 ce1b1a2e2ada8f89a520cfd3aeccc7e94e01fe6811a90273244620258c06a508 38792 
unrar-free-dbgsym_0.0.1+cvs20140707-2_amd64.deb
 571ca0d5c11e38a92996a80258c453130f695b1f7833c306cefc4a7bca0f4396 6233 
unrar-free_0.0.1+cvs20140707-2_amd64.buildinfo
 2fb10078fa657839a5f32380acb0e723f822dd05807ae1e54412ceda6e1742ba 24926 
unrar-free_0.0.1+cvs20140707-2_amd64.deb
Files:
 a2909ef85630a3613c6de4b41739b10a 1975 utils optional 
unrar-free_0.0.1+cvs20140707-2.dsc
 e57f85cbe80c21c3a804f1b29ad8bb74 7084 utils optional 
unrar-free_0.0.1+cvs20140707-2.debian.tar.xz
 8a5a0c30ae0c8590fa901584adc673e3 38792 debug extra 
unrar-free-dbgsym_0.0.1+cvs20140707-2_amd64.deb
 a7c279dbab2f9f18980b3fd5a46c3a5c 6233 utils optional 
unrar-free_0.0.1+cvs20140707-2_amd64.buildinfo
 222fdb7cb372a2c50cb8303715edd0dc 24926 utils optional 
unrar-free_0.0.1+cvs20140707-2_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQJHBAEBCgAxFiEEo2h49GQQhoFgDLZIRBc/oT0FiIgFAlmxDhETHHBhdWxsaXVA
ZGViaWFuLm9yZwAKCRBEFz+hPQWIiACEEADGpjb6fmx1+ssEUZ0v/UhJACDi8wHO
mNrBuHkExHc+pPK4VCJBdW1QeMsHmpb7XqnPYTobKgoVDI/GvQmrcBN2tVjqciju
JUvbeEBcav78GZ+JkCxVv+ZNXhU4P18ArqMcMQDkLHGXOCwaJN4XqhIUXiARiu32
To3TQYbvn33RXJganFsV0eygYCyLgyyiInpcCRPFQ5d2X4ByPVgyRiFxZ4WGcAjt
iVB4n92W5xk3fPBYSIqL5gjn/UkXXkNFxtjQ9L56vBA/QOyVZzHluMq+jeH/SdOZ
rnDm4bG4bdLZ/tut0uFABIjHagQ2FhVqihCXFuvvxM2yxdMQJphzs5GwfVfYGyGW
qpjJWMUyhYakiFZ6zEvkzbWL8sRJhujbSbrORiakUOsygmYTpjvK8vC7v6vWkbUT
kOKEp4+hy4JNKkgXXG2Baa6yK+6kbpUHo0xMcImAcZcALc3javev9DkKLAekq9ZN
XwxMWSF/j1BdRcLf7gtSK4kpFGfsSSdujxpzmesY4PhB8kq1vg4vS8DoJ2g0wE/w
eMMKls5ancRcUYDMCcyb5U6/YTCp5zfPYwL5ZvBEOixOA9ZhJmAf1f1mOdx1tQWI
5xZrpVmtXu57tvRYlPhMSRpwUUjBC2nUaX6UrPQHOyaIjaSOn7nROG0/YDUbf0vI
91fXXXL1Rm4ZJQ==
=wjbN
-----END PGP SIGNATURE-----

--- End Message ---