Fedora Update Notification FEDORA-2004-414 has this to say: A buffer overflow bug has been discovered in unarj when handling long file names contained in an archive. An attacker could create an archive with a specially crafted path which could cause unarj to crash or execute arbitrary instructions. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0947 to this issue. Additionally, a path traversal vulnerability exists in unarj which allows an attacker to extract files to the parent ("..") directory. When used recursively, this vulnerability can be used to overwrite critical system files and programs. Attached are patches redone for unarj-2.43-10 as distributed in RH7.3. Apply in 'unarj-2.43-overflow.patch' and 'unarj-2.43-path.patch' order. OTOH in this case it is better to bite a bullet IMO and simply recompile sources from Fedora updates. Literally nothing is required in order to do that on RH7.3 (and other distros). Base sources are some three years younger. ------- Additional Comments From michal 2004-11-11 10:52:47 ---- Created an attachment (id=921) unarj-2.43-overflow.patch - buffer overflow patch for unarj ------- Additional Comments From michal 2004-11-11 10:53:43 ---- Created an attachment (id=922) unarj-2.43-path.patch - path sanitation patch for unarj ------- Additional Comments From rob.myers.edu 2004-11-11 12:56:25 ---- is this a case where we should switch to a common source code? ------- Additional Comments From rob.myers.edu 2004-11-11 13:11:36 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated unarj packages to QA for rh73, rh90, and fc1: - - CAN-2004-0947 should be fixed - - these should all be the same code with release number changed as appropriate for the target distribution. rh9 and fc1 were already at 2.63, but rh73 was at 2.43. changelogs: rh73: * Thu Nov 11 2004 Rob Myers <rob.myers.edu> 2.63a-7.1.0.7.3.legacy - - rebuild for rh73 - - fixes CAN-2004-0947 (FL #2272) * Wed Nov 10 2004 Lon Hohberger <lhh> 2.63a-7 - - Fix directory traversal & buffer overflow. #138468 rh9: * Thu Nov 11 2004 Rob Myers <rob.myers.edu> 2.63a-7.1.0.9.legacy - - rebuild for rh9 - - fixes CAN-2004-0947 (FL #2272) * Wed Nov 10 2004 Lon Hohberger <lhh> 2.63a-7 - - Fix directory traversal & buffer overflow. #138468 fc1: * Thu Nov 11 2004 Rob Myers <rob.myers.edu> 2.63a-7.1.1.legacy - - rebuild for FC1 - - fixes CAN-2004-0947 (FL #2272) * Wed Nov 10 2004 Lon Hohberger <lhh> 2.63a-7 - - Fix directory traversal & buffer overflow. #138468 sha1sums: rh73: a60c0a0ac4944b3e25e10d1baf46b7463f0c2bd2 unarj-2.63a-7.1.0.7.3.legacy.i386.rpm 2c6d9798507b4e4fa266d5d75f18edb4b4016715 unarj-2.63a-7.1.0.7.3.legacy.src.rpm rh9: 03184029d542e99455f03fb238a0d00cc65fc3e6 unarj-2.63a-7.1.0.9.legacy.i386.rpm 0d6e43d5cc3a35f9ba29a5f6e23875266a96a295 unarj-2.63a-7.1.0.9.legacy.src.rpm 873fb4c93f67538ccf25509025a63fb981bb227f unarj-debuginfo-2.63a-7.1.0.9.legacy.i386.rpm fc1: a2919298e0b725fe272e0281b525492664384bc0 unarj-2.63a-7.1.1.legacy.i386.rpm 21c894f9fe6510c520a2ccc16061a700abc3d6af unarj-2.63a-7.1.1.legacy.src.rpm b753e60e104c61be1d6394e8058d95694237a0a4 unarj-debuginfo-2.63a-7.1.1.legacy.i386.rpm files: rh73: http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/unarj-2.63a-7.1.0.7.3.legacy.src.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/unarj-2.63a-7.1.0.7.3.legacy.i386.rpm rh9: http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/unarj-2.63a-7.1.0.9.legacy.src.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/unarj-2.63a-7.1.0.9.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/unarj-debuginfo-2.63a-7.1.0.9.legacy.i386.rpm fc1: http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/unarj-2.63a-7.1.1.legacy.src.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/unarj-2.63a-7.1.1.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/unarj-debuginfo-2.63a-7.1.1.legacy.i386.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFBk/FrtU2XAt1OWnsRAmiVAJ0Q4yZQiK4lhaJwIs2QdUSZfgSZZACgix+8 RlGGF99H9ZcqgAyW41VNaS4= =OVbW -----END PGP SIGNATURE----- ------- Additional Comments From michal 2004-11-11 17:38:46 ---- IMO Rob's approach is the only sane from a maintainer point of view. ------- Additional Comments From josh.kayse.edu 2004-11-15 11:09:12 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I QAd the FC1 package: 21c894f9fe6510c520a2ccc16061a700abc3d6af unarj-2.63a-7.1.1.legacy.src.rpm - - source identical to previous - - patches look good - - builds cleanly - - installs cleanly - - runs fine + PUBLISH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFBmRrrwnUFCSDmt7ERAtyjAJ46M/gRLzs6hpafTASl/PhnOKuJzwCeOxNq j0PabqToV1vKoKl2+8eSWI0= =emCB -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2004-11-16 14:10:32 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I did QA on the rh73, rh90 and fc1 packages: 2c6d9798507b4e4fa266d5d75f18edb4b4016715 unarj-2.63a-7.1.0.7.3.legacy.src.rpm 0d6e43d5cc3a35f9ba29a5f6e23875266a96a295 unarj-2.63a-7.1.0.9.legacy.src.rpm 21c894f9fe6510c520a2ccc16061a700abc3d6af unarj-2.63a-7.1.1.legacy.src.rpm - - Source files match previous version - - Patches look good - - Spec file changes work good - - Builds and runs +PUBLISH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFBmpbdLMAs/0C4zNoRAunVAJoC+l3b/3wcNMw8m66KDLdjoPrX8ACgwiCp awagdiANGpZrCwdpUhph1rE= =j+U6 -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2004-11-16 14:13:25 ---- I agree with the decision to go to a common code base for all three releases. But, the release numbers of the rpms are broken. They are newer than the fc2 update they are based on. I propose the following release numbers instead with the distro tag based on the fedora.us naming suggestions: unarj-2.63a-4.1.rh73.legacy.src.rpm unarj-2.63a-4.1.rh90.legacy.src.rpm unarj-2.63a-4.1.1.legacy.src.rpm ------- Additional Comments From rob.myers.edu 2004-11-17 05:32:33 ---- woops. sorry for that rather large oversight! thanks for catching this. :) your version suggestions seem to conflict with fedora legacy's rpm versioning guidelines: http://www.fedoralegacy.org/wiki/index.php/RpmVersioning. we should either follow our documentation or change it to reflect what we actually do. any versioning scheme, as long as we document and apply it, is fine with me. ------- Additional Comments From marcdeslauriers 2004-11-17 13:01:59 ---- After discussion on irc, these should be the version tags when these packages get built in mach: unarj-2.63a-4.0.7.3.1.legacy.src.rpm unarj-2.63a-4.0.9.1.legacy.src.rpm unarj-2.63a-4.1.1.legacy.src.rpm ------- Additional Comments From marcdeslauriers 2004-12-05 13:56:47 ---- I pushed these to updates-testing. Please test and put VERIFY comments here. ------- Additional Comments From dom 2004-12-10 02:24:48 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 8b07f5d8a514324da4097fa5e5fe45ab693fba54 unarj-2.63a-4.0.7.3.1.legacy.i386.rpm - - installs fine - - runs fine (but no archives tested) VERIFY rh73 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBuZV1YzuFKFF44qURAlBTAJ97vaJ9PKzaeBNgCSleV5i9eptw9gCg7yEf qUGU4BH0c3ltvYUzBrZHX6w= =wPeg -----END PGP SIGNATURE----- ------- Additional Comments From pekkas 2004-12-14 10:17:45 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 8b07f5d8a514324da4097fa5e5fe45ab693fba54 unarj-2.63a-4.0.7.3.1.legacy.i386.rpm Tested RHL73. - - GPG signature OK. - - Installs OK, unarj works for a test .arj. - - rpm-compare-build.sh looks sane. +VERIFY -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBv0nnGHbTkzxSL7QRAj96AKCWh2JqSvvs9jlR62qmzzKFkrecEACguQPL cIv1cpYXCwebPVcuOncceCU= =v8UN -----END PGP SIGNATURE----- ------- Additional Comments From pekkas 2004-12-22 22:28:08 ---- FC1 anyone ...?? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA for RHL9: - rpm-build-compare diffs look reasonable - signature is OK - install and unarj of a simple arj file works OK +VERIFY RHL9 a6151b99a058e254d76de4fe73b769fe0978f851 unarj-2.63a-4.0.9.1.legacy.i386.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFByoFzGHbTkzxSL7QRAnPGAJ9xN7VADiBv/MU3R5oNfqkptxjiAwCgoxCP 6yaLtoolxg4gY9D2RK2UGOQ= =jhf7 -----END PGP SIGNATURE----- ------- Additional Comments From rob.myers.edu 2004-12-23 08:34:20 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 i did QA on the FC1 unarj rpm: ea630f037afc90ab60cc85e230b64e54141535c9 unarj-2.63a-4.1.1.legacy.i386.rpm - - sha1sum matches announcement - - gpg signature ok - - installs fine - - works fine - - rpm-build-compare ok -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFByw97tU2XAt1OWnsRAk8cAJ45jUda7AlI+iBUMIkAiqfjYPH0NQCbBwOE tksQ9CIXpk8psSQOrcqo5dc= =xfBi -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2005-02-01 18:25:13 ---- Packages were released as updates ------- Bug moved to this database by dkl 2005-03-30 18:29 ------- This bug previously known as bug 2272 at https://bugzilla.fedora.us/ https://bugzilla.fedora.us/show_bug.cgi?id=2272 Originally filed under the Fedora Legacy product and General component. Attachments: unarj-2.43-overflow.patch - buffer overflow patch for unarj https://bugzilla.fedora.us/attachment.cgi?action=view&id=921 unarj-2.43-path.patch - path sanitation patch for unarj https://bugzilla.fedora.us/attachment.cgi?action=view&id=922 Unknown priority P2. Setting to default priority "normal". Unknown platform PC. Setting to default platform "All". Setting qa contact to the default for this product. This bug either had no qa contact or an invalid one.