Debian Bug report logs - #281922
unarj: CAN-2004-0947 present in Debian?

version graph

Package: unarj; Maintainer for unarj is (unknown);

Reported by: Helge Kreutzmann <kreutzm@itp.uni-hannover.de>

Date: Thu, 18 Nov 2004 15:48:04 UTC

Severity: grave

Tags: security, woody

Found in version 2.43-3

Fixed in version unarj/2.43-3woody1

Done: Steve McIntyre <93sam@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Guillem Jover <guillem@debian.org>:
Bug#281922; Package unarj. Full text and rfc822 format available.

Acknowledgement sent to Helge Kreutzmann <kreutzm@itp.uni-hannover.de>:
New Bug report received and forwarded. Copy sent to Guillem Jover <guillem@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Helge Kreutzmann <kreutzm@itp.uni-hannover.de>
To: submit@bugs.debian.org
Subject: unarj: CAN-2004-0947 present in Debian?
Date: Thu, 18 Nov 2004 16:42:04 +0100
[Message part 1 (text/plain, inline)]
Package: unarj
Version: 2.43-3
Severity: grave
Justification: user security hole
Tags: security,woody

As I see no bug against unarj, I thought I file it. I don't know if sid
is affected.

The CAN-Entry is still dummy, here is the RedHat advisory:
http://lwn.net/Alerts/110733/

-- System Information
Debian Release: 3.0
Architecture: alpha
Kernel: Linux jari 2.4.26-grsec-hk04 #1 Fri Aug 6 12:23:40 CEST 2004 alpha
Locale: LANG=C, LC_CTYPE=C

Versions of packages unarj depends on:
ii  libc6.1                       2.2.5-11.5 GNU C Library: Shared libraries an
-- 
Helge Kreutzmann, Dipl.-Phys.               Helge.Kreutzmann@itp.uni-hannover.de
                       gpg signed mail preferred 
    64bit GNU powered                  http://www.itp.uni-hannover.de/~kreutzm
       Help keep free software "libre": http://www.freepatents.org/
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Guillem Jover <guillem@debian.org>:
Bug#281922; Package unarj. Full text and rfc822 format available.

Acknowledgement sent to Joey Hess <joeyh@debian.org>:
Extra info received and forwarded to list. Copy sent to Guillem Jover <guillem@debian.org>. Full text and rfc822 format available.

Message #10 received at 281922@bugs.debian.org (full text, mbox):

From: Joey Hess <joeyh@debian.org>
To: 281922@bugs.debian.org
Subject: 2 CANs
Date: Thu, 18 Nov 2004 14:45:16 -0500
[Message part 1 (text/plain, inline)]
Note that the Fedora advisory covers 2 CANs. So this bug is also for
CAN-2004-1027, I guess. That security hole is simply that unarj will
overwrite files below the working directory if the archive it unpackes
contains /../ in filenames. 

However, both security holes are in the non-free unarj, not the new
free one that's in debian sid/sarge. I don't have any reason to belive
that our new unarj is vulnerable to either, though I've not checked.

-- 
see shy jo
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Guillem Jover <guillem@debian.org>:
Bug#281922; Package unarj. Full text and rfc822 format available.

Acknowledgement sent to Ben Hutchings <ben@decadentplace.org.uk>:
Extra info received and forwarded to list. Copy sent to Guillem Jover <guillem@debian.org>. Full text and rfc822 format available.

Message #15 received at 281922@bugs.debian.org (full text, mbox):

From: Ben Hutchings <ben@decadentplace.org.uk>
To: 281922@bugs.debian.org, control@bugs.debian.org
Subject: Debian unarj package unrelated to Red Hat unarj
Date: Sat, 27 Nov 2004 18:32:59 +0000
close 281922
thanks



Bug closed, send any further explanations to Helge Kreutzmann <kreutzm@itp.uni-hannover.de> Request was from Ben Hutchings <ben@decadentplace.org.uk> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Guillem Jover <guillem@debian.org>:
Bug#281922; Package unarj. Full text and rfc822 format available.

Acknowledgement sent to Helge Kreutzmann <kreutzm@itp.uni-hannover.de>:
Extra info received and forwarded to list. Copy sent to Guillem Jover <guillem@debian.org>. Full text and rfc822 format available.

Message #22 received at 281922@bugs.debian.org (full text, mbox):

From: Helge Kreutzmann <kreutzm@itp.uni-hannover.de>
To: ben@decadentplace.org.uk
Cc: 281922@bugs.debian.org, control@bugs.debian.org
Subject: Unarj affected or not?
Date: Tue, 30 Nov 2004 09:06:20 +0100
[Message part 1 (text/plain, inline)]
reopen 281922
thanks

On Nov. 27. the bug I filled was closed *without comment*, although
Joeys analysis indicated that the woody version might be affected. To
be sure that this does not get closed by an (accidental?) closing, I
reopened the bug, waiting for further analysis.

Thanks

        Helge
-- 
Helge Kreutzmann, Dipl.-Phys.               Helge.Kreutzmann@itp.uni-hannover.de
                       gpg signed mail preferred 
    64bit GNU powered                  http://www.itp.uni-hannover.de/~kreutzm
       Help keep free software "libre": http://www.freepatents.org/
[Message part 2 (application/pgp-signature, inline)]

Bug reopened, originator not changed. Request was from Helge Kreutzmann <kreutzm@itp.uni-hannover.de> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Guillem Jover <guillem@debian.org>:
Bug#281922; Package unarj. Full text and rfc822 format available.

Acknowledgement sent to Ben Hutchings <ben@decadentplace.org.uk>:
Extra info received and forwarded to list. Copy sent to Guillem Jover <guillem@debian.org>. Full text and rfc822 format available.

Message #29 received at 281922@bugs.debian.org (full text, mbox):

From: Ben Hutchings <ben@decadentplace.org.uk>
To: Helge Kreutzmann <kreutzm@itp.uni-hannover.de>
Cc: 281922@bugs.debian.org, control@bugs.debian.org
Subject: Re: Unarj affected or not?
Date: Tue, 30 Nov 2004 11:46:47 +0000
Helge Kreutzmann wrote:
> On Nov. 27. the bug I filled was closed *without comment*, although
> Joeys analysis indicated that the woody version might be affected.

I'm very sorry about that.  I did include a reason in my mail but this
seems to have been lost along the way, and the reasoning was wrong,
anyway.

Ben.

-- 
Ben Hutchings
Beware of bugs in the above code;
I have only proved it correct, not tried it. - Donald Knuth



Reply sent to Steve McIntyre <93sam@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Helge Kreutzmann <kreutzm@itp.uni-hannover.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #34 received at 281922-close@bugs.debian.org (full text, mbox):

From: Steve McIntyre <93sam@debian.org>
To: 281922-close@bugs.debian.org
Subject: Bug#281922: fixed in unarj 2.43-3woody1
Date: Fri, 21 Jan 2005 03:32:10 -0500
Source: unarj
Source-Version: 2.43-3woody1

We believe that the bug you reported is fixed in the latest version of
unarj, which is due to be installed in the Debian FTP archive:

unarj_2.43-3woody1.diff.gz
  to pool/non-free/u/unarj/unarj_2.43-3woody1.diff.gz
unarj_2.43-3woody1.dsc
  to pool/non-free/u/unarj/unarj_2.43-3woody1.dsc
unarj_2.43-3woody1_alpha.deb
  to pool/non-free/u/unarj/unarj_2.43-3woody1_alpha.deb
unarj_2.43-3woody1_arm.deb
  to pool/non-free/u/unarj/unarj_2.43-3woody1_arm.deb
unarj_2.43-3woody1_hppa.deb
  to pool/non-free/u/unarj/unarj_2.43-3woody1_hppa.deb
unarj_2.43-3woody1_i386.deb
  to pool/non-free/u/unarj/unarj_2.43-3woody1_i386.deb
unarj_2.43-3woody1_ia64.deb
  to pool/non-free/u/unarj/unarj_2.43-3woody1_ia64.deb
unarj_2.43-3woody1_m68k.deb
  to pool/non-free/u/unarj/unarj_2.43-3woody1_m68k.deb
unarj_2.43-3woody1_powerpc.deb
  to pool/non-free/u/unarj/unarj_2.43-3woody1_powerpc.deb
unarj_2.43-3woody1_s390.deb
  to pool/non-free/u/unarj/unarj_2.43-3woody1_s390.deb
unarj_2.43-3woody1_sparc.deb
  to pool/non-free/u/unarj/unarj_2.43-3woody1_sparc.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 281922@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steve McIntyre <93sam@debian.org> (supplier of updated unarj package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 20 Jan 2005 13:27:14 +0000
Source: unarj
Binary: unarj
Architecture: alpha arm hppa i386 ia64 m68k powerpc s390 source sparc 
Version: 2.43-3woody1
Distribution: stable
Urgency: high
Maintainer: Steve McIntyre <93sam@debian.org>
Changed-By: Steve McIntyre <93sam@debian.org>
Description: 
 unarj      - arj unarchive utility
Closes: 281922
Changes: 
 unarj (2.43-3woody1) stable-security; urgency=high
 .
   * Fix buffer overflow problem in filename handling (CAN-2004-0947). Closes: #281922
   * Fix unchecked path extraction problem (CAN-2004-1027).
Files: 
 e1d166f2eaf315641d1269a32ad1dc76 528 non-free/utils optional unarj_2.43-3woody1.dsc
 4ef4cfad33d05ecc048d63596ab2673c 12903 non-free/utils optional unarj_2.43-3woody1.diff.gz
 7a481dc017f1fbfa7f937a97e66eb99f 39620 non-free/utils optional unarj_2.43.orig.tar.gz
 08dc91afd3146ccdfaa51d73f8be56e5 29668 non-free/utils optional unarj_2.43-3woody1_alpha.deb
 0b1f0403cfaaf572399fcb60b2549664 31072 non-free/utils optional unarj_2.43-3woody1_ia64.deb
 15a8d6b0b7b565186398c0b8ebe3eb6a 23888 non-free/utils optional unarj_2.43-3woody1_hppa.deb
 5c5a1f0157aa613337f80b439e78456f 23060 non-free/utils optional unarj_2.43-3woody1_powerpc.deb
 644a6dcc9f566bad384c050bc8b8fb14 20384 non-free/utils optional unarj_2.43-3woody1_m68k.deb
 97dc977c8217a10d4915ee32db49edd5 22668 non-free/utils optional unarj_2.43-3woody1_s390.deb
 aa9490bd82bc9aef4f6092d19fa83eaa 20690 non-free/utils optional unarj_2.43-3woody1_i386.deb
 bd2210a978ad30306e3db2ab112c87e8 25386 non-free/utils optional unarj_2.43-3woody1_sparc.deb
 ed352d363cbeb34ba2268db63a632824 22784 non-free/utils optional unarj_2.43-3woody1_arm.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFB7+3KW5ql+IAeqTIRAkX4AJ9HAxs7rgCZ7wHctkIUKcLINgNRKwCfaHjG
roqmk6Ls74LBnWgUS9lRW10=
=zQmD
-----END PGP SIGNATURE-----




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 13:19:22 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.