Re: unarj dir-transversal bug (../../../..)

[Chris Umphress <umphress () gmail com>]

> evil@sheep:~$ unarj x test.arj
> ARJ32 v 3.10, Copyright (c) 1998-2004, ARJ Software Russia. [27 Jun 2004]
>
> Processing archive: test.arj
> Archive created: 2004-10-12 01:15:49, modified: 2004-10-12 01:15:49
> usr/bin/namei, Create this directory? Yes
> Extracting ../usr/bin/namei           to usr/bin/namei               OK
>      1 file(s)
>
> so it's not taking all the ../ into account and also an .arj created with
> full path is created in $PWD. arj + unarj are both v3.10.

Good point. I tried extracting again with 3.10, and it only leaves the
one "../" on the front.

> ...somehow i don't expect programs to mess with /usr. not as a user and
> not as root.

I just picked /usr, it could have been /etc, /var or any other
standard directory that every *nix distribution has. Regardless, if I
try to make unarj write to a directory that I don't have the
neccessary permissions for, it asks me to pick an alternate location
to extract to.

> /me wonders about which version of arj/unarj "doubles" is talking about....

I don't see a problem, but it would be interesting to see which
version "doubles" is refering to.

-- 
Chris Umphres <http://daga.dyndns.org/>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html