Fedora Core 2 FEDORA-2004-414 Critical: Unarj Buffer Overflow Notice

The UNARJ program is used to uncompress .arj format archives. The .arj

format archive was mostly used on DOS machines.

Install the unarj package if you need to uncompress .arj format

archives.

A buffer overflow bug has been discovered in unarj when handling long file names contained in an archive. An attacker could create an archive with a specially crafted path which could cause unarj to crash or execute arbitrary instructions. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0947 to this issue.

Additionally, a path traversal vulnerability exists in unarj which allows an attacker to extract files to the parent ("..") directory. When used recursively, this vulnerability can be used to overwrite critical system files and programs.

Users of unarj are advised to upgrade to these packages. * Wed Nov 10 2004 Lon Hohberger <lhh@redhat.com> 2.63a-7

- Fix directory traversal & buffer overflow. #138468

* Tue Jun 15 2004 Elliot Lee <sopwith@redhat.com>

- rebuilt

This update can be downloaded from:

7cd2b05ac20893645d2d5307bec0bd44 SRPMS/unarj-2.63a-7.src.rpm 373d4ac8b936d388deeec2ef34195783 x86_64/unarj-2.63a-7.x86_64...