Bug#874059: unrar-free: CVE-2017-14120: directory traversal vulnerability

[Chris Lamb]

tags 874059 + patch
thanks

Patch attached. 

It includes autopkgtests checking this CVE and a smoketest of a
regular (ie. non-exploit) extraction to prevent a regression.


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      la...@debian.org / chris-lamb.co.uk
       `-

diff --git a/debian/tests/0001-smoketest b/debian/tests/0001-smoketest
new file mode 100755
index 0000000..be5e756
--- /dev/null
+++ b/debian/tests/0001-smoketest
@@ -0,0 +1,35 @@
+#!/bin/sh
+#
+# Simple smoketest of unrar extraction
+
+setUp() {
+       uudecode >archive.rar <<EOF
+begin-base64 644 -
+UmFyIRoHAM+QcwAADQAAAAAAAACRAHSAgCgAIgEAACACAAAD/TwH77wMJjEU
+MwgApIEAAGNsYW0uZXhlCcFZTMgAAAAc1+kYULWtszouCt0cW/3wCyWsye2n
+RguDS4S0kpcrL/Ckuag5oPiSg4XBFBJ4AvgNycVB2XFyiRkW0V72ztCr4Bcu
+B8d59wPudOc8U/fcy4cx+8BpcIwPB8QCODjnz9RDySYkGsD35zzsto5FTmxj
+5fRVUfTtJS0GOfB7dcwGtToG4wzG2O36fn4uYYffJwif60WIcezfkH69OKhK
+xdyP9cmyb8X+TxO96u7mG6pvU1BTpu3uCF8FGrN4dy1XXu3Q31cdGXoiTpES
+WsL0LTSYeRmueQDUdCO/CFqK1DM5+Ac3Hp/cmqSlHyFAmkXjJiUGuU5a4ONx
+6QRICbOWzHof7owJl9N++fCuQsvDR4qFpNPgqgaL58LetsA=
+====
+EOF
+}
+
+tearDown() {
+       rm -f archive.tar clam.exe
+}
+
+testList() {
+       unrar-free --list archive.rar
+       assertEquals "Status code" $? 0
+}
+
+testExtract() {
+       unrar-free --extract archive.rar
+       assertEquals "Status code" $? 0
+       assertTrue "File exists" "[ -e clam.exe ]"
+}
+
+. /usr/bin/shunit2
diff --git a/debian/tests/0002-CVE-2017-14120 b/debian/tests/0002-CVE-2017-14120
new file mode 100755
index 0000000..740cd90
--- /dev/null
+++ b/debian/tests/0002-CVE-2017-14120
@@ -0,0 +1,30 @@
+#!/bin/sh
+#
+# Test CVE-2017-14120
+
+setUp() {
+       uudecode >archive.rar <<EOF
+begin-base64 644 -
+UmFyIRoHAM+QcwAADQAAAAAAAABvvXQAgCUABQAAAAUAAAAAm7HC/4+CR0YU
+MAUAIAAAAC4uL3h4YWFiDQo=
+====
+EOF
+}
+
+tearDown() {
+       rm -f archive.tar ../xx
+}
+
+testList() {
+       unrar-free --list archive.rar
+       assertEquals "Status code" $? 0
+}
+
+testExtract() {
+       unrar-free --extract archive.rar
+       assertNotEquals "Status code" $? 0
+       assertFalse "File does not exist" "-e ../xx"
+}
+
+
+. /usr/bin/shunit2
diff --git a/debian/tests/control b/debian/tests/control
new file mode 100644
index 0000000..9aa54dd
--- /dev/null
+++ b/debian/tests/control
@@ -0,0 +1,7 @@
+Tests: 0001-smoketest
+Depends: @, sharutils
+Restrictions: allow-stderr
+
+Tests: 0002-CVE-2017-14120
+Depends: @, sharutils
+Restrictions: allow-stderr
diff --git a/src/unrar.c b/src/unrar.c
index a709ba0..b644180 100644
--- a/src/unrar.c
+++ b/src/unrar.c
@@ -362,6 +362,11 @@ unrar_extract_file (struct unrar_arguments_t *unrar, char 
*filename,
          error (0, 0, "asprintf failed: %m\n");
          return 0;
        }
+      if (!strncmp ("../", file, strlen("../")) || strstr (file, "/../"))
+       {
+          error (0, 0, "archive contains unsafe filename: '%s'\n", file);
+         return -1;
+       }
       //where do i put it?  in destination.
       if (unrar->extract_newer)
        {