Re: unarj dir-transversal bug (../../../..)

[evilninja <evilninja () gmx net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chris Umphress wrote:
>   chris@chris:~/test$ unarj x test.arj
>   UNARJ (Demo version) 2.30 Copyright (c) 1991 Robert K Jung
>   
>   Processing archive: test.arj
>   Archive date      : 2012-11-10 27:44:04
>   Can't open ../../usr/local/bin/test.txt
>       0 file(s)
>
>   Found     1 error(s)!

hm, strange. i have:

evil@sheep:~$ unarj x test.arj
ARJ32 v 3.10, Copyright (c) 1998-2004, ARJ Software Russia. [27 Jun 2004]

Processing archive: test.arj
Archive created: 2004-10-12 01:15:49, modified: 2004-10-12 01:15:49
usr/bin/namei, Create this directory? Yes
Extracting ../usr/bin/namei           to usr/bin/namei               OK
     1 file(s)

so it's not taking all the ../ into account and also an .arj created with
full path is created in $PWD. arj + unarj are both v3.10.

> Apart from it removing one "../" from the filename I gave it, it
> worked exactly as I expected.

...somehow i don't expect programs to mess with /usr. not as a user and
not as root.

/me wonders about which version of arj/unarj "doubles" is talking about....

- --
BOFH excuse #303:

fractal radiation jamming the backbone
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBaxdjC/PVm5+NVoYRAgBNAJ9tUbGF0NCqM4sIY9mWHsNvGrd9NwCfb+qj
F+w1GfecVnGP7R0TQoQFC+I=
=eEJw
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html