unarj seems to suffer from at least two security vulnerabilities discovered almost 20 years ago: CVE-2004-0947 and CVE-2004-1027 It also suffers from at least one date/time bug and probably several more. unarj was abandoned more than 20 years ago. There are patches for these two vulnerabilities in FreeBSD ports, as well as fixes for some more bugs: https://svnweb.freebsd.org/ports/head/archivers/unarj/files/ However, Mageia also ships the arj package which does what unarj does and more, it's under an Open Source license, and it was abandoned a few years later. There is probably little to gain by shipping both (except some backward compatibility in case anything is looking for "unarj" specifically), so perhaps we should just drop unarj.
Blocks: (none) => 30163
Thanks Dan for the report. Luigi has already marked unarj for dropping. Is it OK to close this bug now, or does it have to wait until the to-drop Tracker bug is closed?
CC: (none) => lewyssmith
unarj now obsoleted by arj: https://svnweb.mageia.org/packages?view=revision&revision=1944637 A sysadmin should now manually remove it from Tainted repo!
CC: (none) => geiger.david68210
Assignee: bugsquad => sysadmin-bugsCC: (none) => luigiwalser
When this is done, can the bug be closed or must it remain open?
Patches should be added to the Mageia 8 package if possible.
unarj no longer appears in tainted.
Assignee: sysadmin-bugs => pkg-bugs
Suggested advisory: ======================== The updated package fixes security vulnerabilities: Buffer overflow in unarj before 2.63a-r2 allows remote attackers to execute arbitrary code via an arj archive that contains long filenames. (CVE-2004-0947) Directory traversal vulnerability in the -x (extract) command line option in unarj allows remote attackers to overwrite arbitrary files via an arj archive with filenames that contain .. (dot dot) sequences. (CVE-2004-1027) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0947 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1027 ======================== Updated package in tainted/updates_testing: ======================== unarj-2.65-6.1.mga8.tainted from SRPM: unarj-2.65-6.1.mga8.tainted.src.rpm
Status: NEW => ASSIGNEDAssignee: pkg-bugs => qa-bugsCC: (none) => nicolas.salguero
CC: lewyssmith => (none)
No installation issues. Searched the Web for a sample .arj file, and came up empty, so I had to create my own. Unarj doesn't create arj archives, so I installed and used arj on some personal photos: $ arj a fifteen /home/tom/Pictures/15hp/ ARJ32 v 3.10, Copyright (c) 1998-2004, ARJ Software Russia. [29 Jun 2020] Creating archive : fifteen.arj Adding /home/tom/Pictures/15hp/PICT0218.JPG 99.7% Adding /home/tom/Pictures/15hp/IMAG0001.JPG 98.9% Adding /home/tom/Pictures/15hp/P1010074.JPG 97.8% Adding /home/tom/Pictures/15hp/P1010073.JPG 97.9% Adding /home/tom/Pictures/15hp/IMAG0005.JPG 98.8% Adding /home/tom/Pictures/15hp/PICT0219.JPG 99.8% Adding /home/tom/Pictures/15hp/IMAG0002.JPG 98.8% Adding /home/tom/Pictures/15hp/P1010075.JPG 97.7% Adding /home/tom/Pictures/15hp/IMAG0004.JPG 98.9% Adding /home/tom/Pictures/15hp/PICT0217.JPG 99.8% Adding /home/tom/Pictures/15hp/P1010076.JPG 97.1% Adding /home/tom/Pictures/15hp/IMAG0003.JPG 98.9% 12 file(s) Then I used unarj, first to list the archived files, then extract them: $ unarj fifteen.arj UNARJ (Demo version) 2.65 Copyright (c) 1991-2002 ARJ Software, Inc. Processing archive: fifteen.arj Archive created: 2030-00-27 08:49:04, modified: 2030-00-27 08:49:04 Filename Original Compressed Ratio DateTime modified CRC-32 AttrBTPMGVX ------------ ---------- ---------- ----- ----------------- -------- ----------- PICT0218.JPG 2373205 2366712 0.997 25-00-29 06:09:44 4E73F614 A--W B+1 IMAG0001.JPG 165339 163466 0.989 17-05-25 03:48:16 F51D8077 A--W B+1 P1010074.JPG 246348 241016 0.978 17-04-10 00:58:58 5AC77986 A--W B+1 P1010073.JPG 250556 245337 0.979 17-04-10 00:55:44 D4AA60A8 A--W B+1 IMAG0005.JPG 140077 138401 0.988 17-05-25 03:50:20 B5B87E1D A--W B+1 PICT0219.JPG 2430813 2425454 0.998 25-00-29 06:10:08 767A8C35 A--W B+1 IMAG0002.JPG 154367 152590 0.988 17-05-25 03:48:44 D8E9BECF A--W B+1 P1010075.JPG 222368 217228 0.977 17-04-10 00:60:58 9A4AAC7E A--W B+1 IMAG0004.JPG 178858 176964 0.989 17-05-25 03:49:56 5FFC510A A--W B+1 PICT0217.JPG 2310309 2304595 0.998 25-00-29 06:09:12 B67BC399 A--W B+1 P1010076.JPG 216848 210662 0.971 17-04-10 00:63:10 EEB5683A A--W B+1 IMAG0003.JPG 187735 185719 0.989 17-05-25 03:49:16 906F10E3 A--W B+1 ------------ ---------- ---------- ----- ----------------- 12 files 8876823 8828144 0.995 30-00-27 08:49:04 $ unarj e fifteen.arj UNARJ (Demo version) 2.65 Copyright (c) 1991-2002 ARJ Software, Inc. Processing archive: fifteen.arj Archive created: 2030-00-27 08:49:04, modified: 2030-00-27 08:49:04 Extracting PICT0218.JPG CRC OK Extracting IMAG0001.JPG CRC OK Extracting P1010074.JPG CRC OK Extracting P1010073.JPG CRC OK Extracting IMAG0005.JPG CRC OK Extracting PICT0219.JPG CRC OK Extracting IMAG0002.JPG CRC OK Extracting P1010075.JPG CRC OK Extracting IMAG0004.JPG CRC OK Extracting PICT0217.JPG CRC OK Extracting P1010076.JPG CRC OK Extracting IMAG0003.JPG CRC OK 12 file(s) The resulting images looked OK in Gwenview. Giving this an OK, and validating. Advisory in comment 6.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_updateWhiteboard: (none) => MGA8-64-OK
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0107.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED