Bug 912072 (CVE-2015-0556) - VUL-1: CVE-2015-0556 CVE-2015-0557: unarj: two directory traversal flaws
Summary: VUL-1: CVE-2015-0556 CVE-2015-0557: unarj: two directory traversal flaws
Status: RESOLVED INVALID
Alias: CVE-2015-0556
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Minor
Target Milestone: ---
Deadline: 2015-04-13
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/112063/
Whiteboard: maint:running:61380:moderate
Keywords:
Depends on:
Blocks:
 
Reported: 2015-01-07 13:29 UTC by Victor Pereira
Modified: 2015-04-13 10:08 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
reproducer data for CVE-2015-0557 (134 bytes, application/x-arj)
2015-03-30 11:45 UTC, Andreas Stieger 		Details
reproducer data for CVE-2015-0556 (207 bytes, application/x-arj)
2015-03-30 11:49 UTC, Andreas Stieger 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2015-01-07 13:29:00 UTC 
CVE-2015-0556

Two directory traversal flaws were discovered in the arj archiver:

symlink directory traversal:
 - https://bugs.debian.org/774434

directory traversal via //multiple/leading/slash:
 - https://bugs.debian.org/774435

A CVE request for both issues: http://seclists.org/oss-sec/2015/q1/11

No patches exist for this issues as of right now.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1178824
Comment 1 Swamp Workflow Management 2015-01-07 23:00:52 UTC 
bugbot adjusting priority
Comment 2 Swamp Workflow Management 2015-03-30 11:16:23 UTC 
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-04-13.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/61380
Comment 4 Andreas Stieger 2015-03-30 11:45:21 UTC 
Created attachment 629176 [details]
reproducer data for CVE-2015-0557

reproducer data for CVE-2015-0557
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774435

[[[
To protect from directory traversals, ARJ strips leading slash from the 
path when unpacking stuff. But this protection can be easily bypassed by 
stuffing more than one leading slash to the path:

$ pwd
/home/jwilk

$ arj x traversal-slash-slash.arj
ARJ32 v 3.10, Copyright (c) 1998-2004, ARJ Software Russia. [08 Aug 2014]

Processing archive: traversal-slash-slash.arj
Archive created: 2015-01-02 18:11:00, modified: 2015-01-02 18:11:00
Extracting //tmp/moo                  to /tmp/moo                    OK
    1 file(s)

$ ls -l /tmp/moo
-rw-r--r-- 1 jwilk jwilk 4 Jan  2 18:11 /tmp/moo
]]]


Expected behaviour: do not wrote to /tmp/foo
Comment 5 Andreas Stieger 2015-03-30 11:49:41 UTC 
Created attachment 629181 [details]
reproducer data for CVE-2015-0556

reproducer data for CVE-2015-0556
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774434#3

[[[
ARJ follows symlinks when unpacking stuff, even the symlinks that were 
created during the same unpack process. This can be exploited for 
directory traversal:

$ pwd
/home/jwilk

$ arj x traversal-dirsymlink.arj
ARJ32 v 3.10, Copyright (c) 1998-2004, ARJ Software Russia. [08 Aug 2014]

Processing archive: traversal-dirsymlink.arj
Archive created: 2015-01-02 18:01:19, modified: 2015-01-02 18:01:19
Extracting tmp                         (SymLink) OK
Extracting tmp/moo                     OK
    2 file(s)

$ ls -ld tmp
lrwxrwxrwx 1 jwilk jwilk 4 Jan  2 18:32 tmp -> /tmp

$ ls -l /tmp/moo
-rw-r--r-- 1 jwilk jwilk 4 Jan  2 18:01 /tmp/moo
]]]

Expected when fixed: do not write to /tmp
Comment 6 Kristyna Streitova 2015-04-10 12:31:35 UTC 
Are you able to reproduce it? I've tried to reproduce it on SLE11SP3 (unarj 2.65 - we have this version on SLE-10-SP2 and SLE-11:Update too) but it's seems that our package is not affected.

---------------------------------------------
CVE-2015-0556
---------------------------------------------

# unarj x traversal-dirsymlink.arj
UNARJ (Demo version) 2.63 Copyright (c) 1991-2000 ARJ Software, Inc.
Includes patches applied by SUSE/Novell 2003-2004.

Processing archive: traversal-dirsymlink.arj
Archive created: 2022-05-06 25:54:62, modified: 2022-05-06 25:54:62
Unsupported version: 11, Skipped tmp
Extracting tmp/moo                    CRC OK
    1 file(s)

Found     1 error(s)!

# ls -ld tmp
drwxr-xr-x 2 root root 4096 Apr 10 13:18 tmp

# ls -l /tmp/moo
ls: cannot access /tmp/moo: No such file or directory

---------------------------------------------
CVE-2015-0557
---------------------------------------------

/test_0557 # unarj x traversal-slash-slash.arj
UNARJ (Demo version) 2.63 Copyright (c) 1991-2000 ARJ Software, Inc.
Includes patches applied by SUSE/Novell 2003-2004.

Processing archive: traversal-slash-slash.arj
Archive created: 2022-05-06 26:09:08, modified: 2022-05-06 26:09:08
Extracting tmp/moo                    CRC OK
    1 file(s)

# ls -l /tmp/moo
ls: cannot access /tmp/moo: No such file or directory
Comment 7 Andreas Stieger 2015-04-13 10:08:30 UTC 
(In reply to Kristyna Streitova from comment #6)
> Are you able to reproduce it? I've tried to reproduce it on SLE11SP3 (unarj
> 2.65 - we have this version on SLE-10-SP2 and SLE-11:Update too) but it's
> seems that our package is not affected.

Already fixed by unarj-2.65-path.diff in 2004. Closing.