Ubuntu
unrar-nonfree package

Directory traversal vulnerability

Bug #1451260 reported by Felix Geyer on 2015-05-03
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
unrar-nonfree (Debian)
Fix Released
Unknown
unrar-nonfree (Ubuntu)
Fix Released
Undecided
Unassigned
Precise
Fix Released
Undecided
Steve Beattie
Trusty
Fix Released
Undecided
Steve Beattie
Utopic
Fix Released
Undecided
Steve Beattie
Also affects project (?) Also affects distribution/package Nominate for series

Bug Description

unrar-nonfree before version 5.2.7 suffers from a symlink directory traversal vulnerability.

More details at:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774171

Felix Geyer (debfx) on 2015-05-03
Changed in unrar-nonfree (Ubuntu):
status: New → Fix Released
Felix Geyer (debfx) wrote :

I'm not aware of any CVE for this issue.

Attached are debdiffs for precise, trusty and utopic.
vivid has 5.2.7, so not affected.

Felix Geyer (debfx) wrote :
Felix Geyer (debfx) wrote :
Felix Geyer (debfx) wrote :
Steve Beattie (sbeattie) wrote :

Thanks, I'll take a look at these in a bit.

Changed in unrar-nonfree (Ubuntu Precise):
status: New → In Progress
Changed in unrar-nonfree (Ubuntu Trusty):
status: New → In Progress
Changed in unrar-nonfree (Ubuntu Utopic):
status: New → In Progress
Changed in unrar-nonfree (Ubuntu Precise):
assignee: nobody → Steve Beattie (sbeattie)
Changed in unrar-nonfree (Ubuntu Trusty):
assignee: nobody → Steve Beattie (sbeattie)
Changed in unrar-nonfree (Ubuntu Utopic):
assignee: nobody → Steve Beattie (sbeattie)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unrar-nonfree - 1:5.0.10-1ubuntu0.14.10.1

---------------
unrar-nonfree (1:5.0.10-1ubuntu0.14.10.1) utopic-security; urgency=medium

  * SECURITY UPDATE: symlink directory traversal vulnerability (LP: #1451260)
    - debian/patches/fix-dir-traversal: backported the upstream fix

 -- Felix Geyer <email address hidden> Sun, 03 May 2015 22:57:02 +0200

Changed in unrar-nonfree (Ubuntu Utopic):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unrar-nonfree - 1:4.0.3-1ubuntu0.1

---------------
unrar-nonfree (1:4.0.3-1ubuntu0.1) precise-security; urgency=medium

  * SECURITY UPDATE: symlink directory traversal vulnerability (LP: #1451260)
    - debian/patches/fix-dir-traversal: backported the upstream fix

 -- Felix Geyer <email address hidden> Sun, 03 May 2015 23:09:30 +0200

Changed in unrar-nonfree (Ubuntu Precise):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unrar-nonfree - 1:5.0.10-1ubuntu0.14.04.1

---------------
unrar-nonfree (1:5.0.10-1ubuntu0.14.04.1) trusty-security; urgency=medium

  * SECURITY UPDATE: symlink directory traversal vulnerability (LP: #1451260)
    - debian/patches/fix-dir-traversal: backported the upstream fix

 -- Felix Geyer <email address hidden> Sun, 03 May 2015 22:57:02 +0200

Changed in unrar-nonfree (Ubuntu Trusty):
status: In Progress → Fix Released
Bug Watch Updater (bug-watch-updater) on 2015-05-06
Changed in unrar-nonfree (Debian):
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.