This was reported to vendor-sec by Suse. Recently some guy called "doubles" posted something about a directory traversal bug in unarj to full-disclosure. While looking into that issue I also found a buffer overflow. The problem is that the value of 'short entry_pos' in unarj.c:read_header() is not checked but later used as offset into 'char filename[512]' when copying into a 512 byte buffer on the stack in extract(). It's exploitable if the compiler doesn't inline the extract() function in unarj.c.
Created attachment 106328 [details] Proposed patch for the buffer overflow.
Created attachment 106329 [details] Proposed patch for the directory traversal issue.
No embargo date has been set for this issue.
Now public, removing embargo
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2005-007.html