Directory traversal vulnerability in the -x (extract) command line option in unarj allows remote attackers to overwrite arbitrary files via an arj archive with filenames that contain .. (dot dot) sequences.

unarj has insufficient checks for filenames that contain ... This can allow an attacker to overwrite arbitrary files with the permissions of the user running unarj.

Several vulnerabilities have been discovered in unarj, a non-free ARJ unarchive utility. The Common Vulnerabilities and Exposures Project identifies the following vulnerabilities :

  - CAN-2004-0947     A buffer overflow has been discovered when handling long     file names contained in an archive. An attacker could     create a specially crafted archive which could cause     unarj to crash or possibly execute arbitrary code when     being extracted by a victim.

  - CAN-2004-1027

    A directory traversal vulnerability has been found so     that an attacker could create a specially crafted     archive which would create files in the parent directory     when being extracted by a victim. When used recursively,     this vulnerability could be used to overwrite critical     system files and programs.

An updated unarj package that fixes a buffer overflow vulnerability and a directory traversal vulnerability is now available.

The unarj program is an archiving utility which can extract ARJ-compatible archives.

A buffer overflow bug was discovered in unarj when handling long file names contained in an archive. An attacker could create a specially crafted archive which could cause unarj to crash or possibly execute arbitrary code when extracted by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0947 to this issue.

Additionally, a path traversal vulnerability was discovered in unarj.
An attacker could create a specially crafted archive which would create files in the parent ('..') directory when extracted by a victim. When used recursively, this vulnerability could be used to overwrite critical system files and programs. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-1027 to this issue.

Users of unarj should upgrade to this updated package which contains backported patches and is not vulnerable to these issues.

The remote host is affected by the vulnerability described in GLSA-200411-29 (unarj: Long filenames buffer overflow and a path traversal vulnerability)

    unarj has a bounds checking vulnerability within the handling of     long filenames in archives. It also fails to properly sanitize paths     when extracting an archive (if the 'x' option is used to preserve     paths).
  Impact :

    An attacker could trigger a buffer overflow or a path traversal by     enticing a user to open an archive containing specially crafted path     names, potentially resulting in the overwrite of files or execution of     arbitrary code with the permissions of the user running unarj.
  Workaround :

    There is no known workaround at this time.

ID	Name	Product	Family	Severity
18863	FreeBSD : unarj -- directory traversal vulnerability (1f922de0-3fe5-11d9-a9e7-0001020eed82)	Nessus	FreeBSD Local Security Checks	medium
16236	Debian DSA-652-1 : unarj - several vulnerabilities	Nessus	Debian Local Security Checks	critical
16145	RHEL 2.1 : unarj (RHSA-2005:007)	Nessus	Red Hat Local Security Checks	critical
15777	GLSA-200411-29 : unarj: Long filenames buffer overflow and a path traversal vulnerability	Nessus	Gentoo Local Security Checks	critical

Detections

Analytics

CVE-2004-1027

high

Tenable Plugins

medium

critical

critical

critical