This was reported to vendor-sec by Suse.
Recently some guy called "doubles" posted something about a directory
traversal bug in unarj to full-disclosure. While looking into that
issue I also found a buffer overflow. The problem is that the value of
'short entry_pos' in unarj.c:read_header() is not checked but later
used as offset into 'char filename' when copying into a 512 byte
buffer on the stack in extract(). It's exploitable if the compiler
doesn't inline the extract() function in unarj.c.
Created attachment 106328 [details]
Proposed patch for the buffer overflow.
Created attachment 106329 [details]
Proposed patch for the directory traversal issue.
No embargo date has been set for this issue.
Now public, removing embargo
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.