Bug 31546

Summary: unarj unpatched security problems
Product: Mageia Reporter: Dan Fandrich <dan>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, geiger.david68210, luigiwalser, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: unarj-2.65-6.mga8.tainted.src.rpm CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 30163    

Description Dan Fandrich 2023-02-14 09:58:53 CET 
unarj seems to suffer from at least two security vulnerabilities discovered almost 20 years ago: CVE-2004-0947 and CVE-2004-1027  It also suffers from at least one date/time bug and probably several more.

unarj was abandoned more than 20 years ago. There are patches for these two vulnerabilities in FreeBSD ports, as well as fixes for some more bugs: https://svnweb.freebsd.org/ports/head/archivers/unarj/files/  However, Mageia also ships the arj package which does what unarj does and more, it's under an Open Source license, and it was abandoned a few years later. There is probably little to gain by shipping both (except some backward compatibility in case anything is looking for "unarj" specifically), so perhaps we should just drop unarj.
David Walser 2023-02-14 16:10:41 CET

Blocks: (none) => 30163

Comment 1 Lewis Smith 2023-02-14 20:33:27 CET 
Thanks Dan for the report. Luigi has already marked unarj for dropping.
Is it OK to close this bug now, or does it have to wait until the to-drop Tracker bug is closed?

CC: (none) => lewyssmith

Comment 2 David GEIGER 2023-02-22 05:18:52 CET 
unarj now obsoleted by arj:

https://svnweb.mageia.org/packages?view=revision&revision=1944637

A sysadmin should now manually remove it from Tainted repo!

CC: (none) => geiger.david68210

David Walser 2023-02-23 20:31:39 CET

Assignee: bugsquad => sysadmin-bugs
CC: (none) => luigiwalser

Comment 3 Lewis Smith 2023-02-23 20:43:58 CET 
When this is done, can the bug be closed or must it remain open?
Comment 4 David Walser 2023-02-23 20:50:37 CET 
Patches should be added to the Mageia 8 package if possible.
Comment 5 David Walser 2023-03-16 16:49:43 CET 
unarj no longer appears in tainted.

Assignee: sysadmin-bugs => pkg-bugs

Comment 6 Nicolas Salguero 2023-03-20 09:43:15 CET 
Suggested advisory:
========================

The updated package fixes security vulnerabilities:

Buffer overflow in unarj before 2.63a-r2 allows remote attackers to execute arbitrary code via an arj archive that contains long filenames. (CVE-2004-0947)

Directory traversal vulnerability in the -x (extract) command line option in unarj allows remote attackers to overwrite arbitrary files via an arj archive with filenames that contain .. (dot dot) sequences. (CVE-2004-1027)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0947
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1027
========================

Updated package in tainted/updates_testing:
========================
unarj-2.65-6.1.mga8.tainted

from SRPM:
unarj-2.65-6.1.mga8.tainted.src.rpm

Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs
CC: (none) => nicolas.salguero

Lewis Smith 2023-03-20 22:01:58 CET

CC: lewyssmith => (none)

Comment 7 Thomas Andrews 2023-03-22 19:38:16 CET 
No installation issues. 

Searched the Web for a sample .arj file, and came up empty, so I had to create my own. Unarj doesn't create arj archives, so I installed and used arj on some personal photos:

$ arj a fifteen /home/tom/Pictures/15hp/
ARJ32 v 3.10, Copyright (c) 1998-2004, ARJ Software Russia. [29 Jun 2020]

Creating archive  : fifteen.arj
Adding    /home/tom/Pictures/15hp/PICT0218.JPG   99.7%    
Adding    /home/tom/Pictures/15hp/IMAG0001.JPG   98.9%    
Adding    /home/tom/Pictures/15hp/P1010074.JPG   97.8%    
Adding    /home/tom/Pictures/15hp/P1010073.JPG   97.9%    
Adding    /home/tom/Pictures/15hp/IMAG0005.JPG   98.8%    
Adding    /home/tom/Pictures/15hp/PICT0219.JPG   99.8%    
Adding    /home/tom/Pictures/15hp/IMAG0002.JPG   98.8%    
Adding    /home/tom/Pictures/15hp/P1010075.JPG   97.7%    
Adding    /home/tom/Pictures/15hp/IMAG0004.JPG   98.9%    
Adding    /home/tom/Pictures/15hp/PICT0217.JPG   99.8%    
Adding    /home/tom/Pictures/15hp/P1010076.JPG   97.1%    
Adding    /home/tom/Pictures/15hp/IMAG0003.JPG   98.9%    
    12 file(s)

Then I used unarj, first to list the archived files, then extract them:

$ unarj fifteen.arj
UNARJ (Demo version) 2.65 Copyright (c) 1991-2002 ARJ Software, Inc.

Processing archive: fifteen.arj
Archive created: 2030-00-27 08:49:04, modified: 2030-00-27 08:49:04
Filename       Original Compressed Ratio DateTime modified CRC-32   AttrBTPMGVX
------------ ---------- ---------- ----- ----------------- -------- -----------
PICT0218.JPG    2373205    2366712 0.997 25-00-29 06:09:44 4E73F614 A--W B+1   
IMAG0001.JPG     165339     163466 0.989 17-05-25 03:48:16 F51D8077 A--W B+1   
P1010074.JPG     246348     241016 0.978 17-04-10 00:58:58 5AC77986 A--W B+1   
P1010073.JPG     250556     245337 0.979 17-04-10 00:55:44 D4AA60A8 A--W B+1   
IMAG0005.JPG     140077     138401 0.988 17-05-25 03:50:20 B5B87E1D A--W B+1   
PICT0219.JPG    2430813    2425454 0.998 25-00-29 06:10:08 767A8C35 A--W B+1   
IMAG0002.JPG     154367     152590 0.988 17-05-25 03:48:44 D8E9BECF A--W B+1   
P1010075.JPG     222368     217228 0.977 17-04-10 00:60:58 9A4AAC7E A--W B+1   
IMAG0004.JPG     178858     176964 0.989 17-05-25 03:49:56 5FFC510A A--W B+1   
PICT0217.JPG    2310309    2304595 0.998 25-00-29 06:09:12 B67BC399 A--W B+1   
P1010076.JPG     216848     210662 0.971 17-04-10 00:63:10 EEB5683A A--W B+1   
IMAG0003.JPG     187735     185719 0.989 17-05-25 03:49:16 906F10E3 A--W B+1   
------------ ---------- ---------- ----- -----------------
    12 files    8876823    8828144 0.995 30-00-27 08:49:04
$ unarj e fifteen.arj 
UNARJ (Demo version) 2.65 Copyright (c) 1991-2002 ARJ Software, Inc.

Processing archive: fifteen.arj
Archive created: 2030-00-27 08:49:04, modified: 2030-00-27 08:49:04
Extracting PICT0218.JPG               CRC OK
Extracting IMAG0001.JPG               CRC OK
Extracting P1010074.JPG               CRC OK
Extracting P1010073.JPG               CRC OK
Extracting IMAG0005.JPG               CRC OK
Extracting PICT0219.JPG               CRC OK
Extracting IMAG0002.JPG               CRC OK
Extracting P1010075.JPG               CRC OK
Extracting IMAG0004.JPG               CRC OK
Extracting PICT0217.JPG               CRC OK
Extracting P1010076.JPG               CRC OK
Extracting IMAG0003.JPG               CRC OK
   12 file(s)

The resulting images looked OK in Gwenview. Giving this an OK, and validating. Advisory in comment 6.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: (none) => MGA8-64-OK

Dave Hodgins 2023-03-23 23:42:16 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 8 Mageia Robot 2023-03-24 06:57:23 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0107.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED