Fedora Update Notification FEDORA-2004-414 has this to say:

A buffer overflow bug has been discovered in unarj when handling long
file names contained in an archive. An attacker could create an archive
with a specially crafted path which could cause unarj to crash or
execute arbitrary instructions.  The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2004-0947 to
this issue.

Additionally, a path traversal vulnerability exists in unarj which
allows an attacker to extract files to the parent ("..") directory. When
used recursively, this vulnerability can be used to overwrite critical
system files and programs.


Attached are patches redone for unarj-2.43-10 as distributed in RH7.3.
Apply in 'unarj-2.43-overflow.patch' and 'unarj-2.43-path.patch' order.
OTOH in this case it is better to bite a bullet IMO and simply recompile
sources from Fedora updates.  Literally nothing is required in order
to do that on RH7.3 (and other distros).  Base sources are some three
years younger.



------- Additional Comments From michal 2004-11-11 10:52:47 ----

Created an attachment (id=921)
unarj-2.43-overflow.patch - buffer overflow patch for unarj




------- Additional Comments From michal 2004-11-11 10:53:43 ----

Created an attachment (id=922)
unarj-2.43-path.patch - path sanitation patch for unarj




------- Additional Comments From rob.myers.edu 2004-11-11 12:56:25 ----

is this a case where we should switch to a common source code?



------- Additional Comments From rob.myers.edu 2004-11-11 13:11:36 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Here are updated unarj packages to QA for rh73, rh90, and fc1:
  
- - CAN-2004-0947 should be fixed
- - these should all be the same code with release number changed
  as appropriate for the target distribution.  rh9 and fc1 were
  already at 2.63, but rh73 was at 2.43.
 
changelogs:
 
rh73:
* Thu Nov 11 2004 Rob Myers <rob.myers.edu> 2.63a-7.1.0.7.3.legacy
- - rebuild for rh73
- - fixes CAN-2004-0947 (FL #2272)
  
* Wed Nov 10 2004 Lon Hohberger <lhh> 2.63a-7
- - Fix directory traversal & buffer overflow. #138468
 
rh9:
* Thu Nov 11 2004 Rob Myers <rob.myers.edu> 2.63a-7.1.0.9.legacy
- - rebuild for rh9
- - fixes CAN-2004-0947 (FL #2272)
  
* Wed Nov 10 2004 Lon Hohberger <lhh> 2.63a-7
- - Fix directory traversal & buffer overflow. #138468
 
fc1:
* Thu Nov 11 2004 Rob Myers <rob.myers.edu> 2.63a-7.1.1.legacy
- - rebuild for FC1
- - fixes CAN-2004-0947 (FL #2272)
  
* Wed Nov 10 2004 Lon Hohberger <lhh> 2.63a-7
- - Fix directory traversal & buffer overflow. #138468
 
  
sha1sums:
rh73:
a60c0a0ac4944b3e25e10d1baf46b7463f0c2bd2  unarj-2.63a-7.1.0.7.3.legacy.i386.rpm
2c6d9798507b4e4fa266d5d75f18edb4b4016715  unarj-2.63a-7.1.0.7.3.legacy.src.rpm
 
rh9:
03184029d542e99455f03fb238a0d00cc65fc3e6  unarj-2.63a-7.1.0.9.legacy.i386.rpm
0d6e43d5cc3a35f9ba29a5f6e23875266a96a295  unarj-2.63a-7.1.0.9.legacy.src.rpm
873fb4c93f67538ccf25509025a63fb981bb227f 
unarj-debuginfo-2.63a-7.1.0.9.legacy.i386.rpm
 
fc1:
a2919298e0b725fe272e0281b525492664384bc0  unarj-2.63a-7.1.1.legacy.i386.rpm
21c894f9fe6510c520a2ccc16061a700abc3d6af  unarj-2.63a-7.1.1.legacy.src.rpm
b753e60e104c61be1d6394e8058d95694237a0a4 
unarj-debuginfo-2.63a-7.1.1.legacy.i386.rpm
  
files:
 
rh73:
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/unarj-2.63a-7.1.0.7.3.legacy.src.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/unarj-2.63a-7.1.0.7.3.legacy.i386.rpm
 
rh9:
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/unarj-2.63a-7.1.0.9.legacy.src.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/unarj-2.63a-7.1.0.9.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/unarj-debuginfo-2.63a-7.1.0.9.legacy.i386.rpm
 
fc1:
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/unarj-2.63a-7.1.1.legacy.src.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/unarj-2.63a-7.1.1.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/unarj-debuginfo-2.63a-7.1.1.legacy.i386.rpm
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
 
iD8DBQFBk/FrtU2XAt1OWnsRAmiVAJ0Q4yZQiK4lhaJwIs2QdUSZfgSZZACgix+8
RlGGF99H9ZcqgAyW41VNaS4=
=OVbW
-----END PGP SIGNATURE-----




------- Additional Comments From michal 2004-11-11 17:38:46 ----

IMO Rob's approach is the only sane from a maintainer point of view.



------- Additional Comments From josh.kayse.edu 2004-11-15 11:09:12 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I QAd the FC1 package:

21c894f9fe6510c520a2ccc16061a700abc3d6af  unarj-2.63a-7.1.1.legacy.src.rpm

- - source identical to previous
- - patches look good
- - builds cleanly
- - installs cleanly
- - runs fine

+ PUBLISH
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFBmRrrwnUFCSDmt7ERAtyjAJ46M/gRLzs6hpafTASl/PhnOKuJzwCeOxNq
j0PabqToV1vKoKl2+8eSWI0=
=emCB
-----END PGP SIGNATURE-----



------- Additional Comments From marcdeslauriers 2004-11-16 14:10:32 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did QA on the rh73, rh90 and fc1 packages:

2c6d9798507b4e4fa266d5d75f18edb4b4016715  unarj-2.63a-7.1.0.7.3.legacy.src.rpm
0d6e43d5cc3a35f9ba29a5f6e23875266a96a295  unarj-2.63a-7.1.0.9.legacy.src.rpm
21c894f9fe6510c520a2ccc16061a700abc3d6af  unarj-2.63a-7.1.1.legacy.src.rpm

- - Source files match previous version
- - Patches look good
- - Spec file changes work good
- - Builds and runs

+PUBLISH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFBmpbdLMAs/0C4zNoRAunVAJoC+l3b/3wcNMw8m66KDLdjoPrX8ACgwiCp
awagdiANGpZrCwdpUhph1rE=
=j+U6
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers 2004-11-16 14:13:25 ----

I agree with the decision to go to a common code base for all three releases.

But, the release numbers of the rpms are broken. They are newer than the fc2
update they are based on.

I propose the following release numbers instead with the distro tag based on the
fedora.us naming suggestions:

unarj-2.63a-4.1.rh73.legacy.src.rpm
unarj-2.63a-4.1.rh90.legacy.src.rpm
unarj-2.63a-4.1.1.legacy.src.rpm




------- Additional Comments From rob.myers.edu 2004-11-17 05:32:33 ----

woops.  sorry for that rather large oversight!  thanks for catching this. :)

your version suggestions seem to conflict with fedora legacy's rpm versioning
guidelines: http://www.fedoralegacy.org/wiki/index.php/RpmVersioning.

we should either follow our documentation or change it to reflect what we
actually do.  any versioning scheme, as long as we document and apply it, is
fine with me.



------- Additional Comments From marcdeslauriers 2004-11-17 13:01:59 ----

After discussion on irc, these should be the version tags when these packages
get built in mach:

unarj-2.63a-4.0.7.3.1.legacy.src.rpm
unarj-2.63a-4.0.9.1.legacy.src.rpm
unarj-2.63a-4.1.1.legacy.src.rpm



------- Additional Comments From marcdeslauriers 2004-12-05 13:56:47 ----

I pushed these to updates-testing. Please test and put VERIFY comments here.



------- Additional Comments From dom 2004-12-10 02:24:48 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

8b07f5d8a514324da4097fa5e5fe45ab693fba54  unarj-2.63a-4.0.7.3.1.legacy.i386.rpm

- - installs fine
- - runs fine (but no archives tested)

VERIFY rh73
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBuZV1YzuFKFF44qURAlBTAJ97vaJ9PKzaeBNgCSleV5i9eptw9gCg7yEf
qUGU4BH0c3ltvYUzBrZHX6w=
=wPeg
-----END PGP SIGNATURE-----




------- Additional Comments From pekkas 2004-12-14 10:17:45 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

8b07f5d8a514324da4097fa5e5fe45ab693fba54  unarj-2.63a-4.0.7.3.1.legacy.i386.rpm

Tested RHL73.

- - GPG signature OK.
- - Installs OK, unarj works for a test .arj.
- - rpm-compare-build.sh looks sane.

+VERIFY
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBv0nnGHbTkzxSL7QRAj96AKCWh2JqSvvs9jlR62qmzzKFkrecEACguQPL
cIv1cpYXCwebPVcuOncceCU=
=v8UN
-----END PGP SIGNATURE-----



------- Additional Comments From pekkas 2004-12-22 22:28:08 ----

FC1 anyone ...??

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA for RHL9:
 - rpm-build-compare diffs look reasonable
 - signature is OK
 - install and unarj of a simple arj file works OK

+VERIFY RHL9

a6151b99a058e254d76de4fe73b769fe0978f851  unarj-2.63a-4.0.9.1.legacy.i386.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFByoFzGHbTkzxSL7QRAnPGAJ9xN7VADiBv/MU3R5oNfqkptxjiAwCgoxCP
6yaLtoolxg4gY9D2RK2UGOQ=
=jhf7
-----END PGP SIGNATURE-----




------- Additional Comments From rob.myers.edu 2004-12-23 08:34:20 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
i did QA on the FC1 unarj rpm:
 
ea630f037afc90ab60cc85e230b64e54141535c9  unarj-2.63a-4.1.1.legacy.i386.rpm
 
- - sha1sum matches announcement
- - gpg signature ok
- - installs fine
- - works fine
- - rpm-build-compare ok
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
 
iD8DBQFByw97tU2XAt1OWnsRAk8cAJ45jUda7AlI+iBUMIkAiqfjYPH0NQCbBwOE
tksQ9CIXpk8psSQOrcqo5dc=
=xfBi
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers 2005-02-01 18:25:13 ----

Packages were released as updates



------- Bug moved to this database by dkl 2005-03-30 18:29 -------

This bug previously known as bug 2272 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2272
Originally filed under the Fedora Legacy product and General component.

Attachments:
unarj-2.43-overflow.patch - buffer overflow patch for unarj
https://bugzilla.fedora.us/attachment.cgi?action=view&id=921
unarj-2.43-path.patch - path sanitation patch for unarj
https://bugzilla.fedora.us/attachment.cgi?action=view&id=922

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.