diff --git a/CVE-2022-48579.patch b/CVE-2022-48579.patch new file mode 100644 index 0000000000000000000000000000000000000000..4632a031268d5dffb251f34be102826b2389cad9 --- /dev/null +++ b/CVE-2022-48579.patch @@ -0,0 +1,432 @@ +From 2aa7fb1054558eac4c38bbc12efa2a5e01493bdd Mon Sep 17 00:00:00 2001 +From: pangqing +Date: Fri, 20 Sep 2024 17:31:14 +0800 +Subject: [PATCH] CVE-2022-48579 + +--- + arcread.cpp | 4 ++- + extinfo.cpp | 86 +++++++++++++++++++++++++++++++++++++++++++++++---- + extinfo.hpp | 3 +- + extract.cpp | 45 +++++++++++++++++++++++++-- + extract.hpp | 5 +++ + hardlinks.cpp | 2 -- + model.cpp | 5 +-- + os.hpp | 1 + + pathfn.cpp | 13 +++++--- + timefn.hpp | 11 +++++++ + ulinks.cpp | 7 +++-- + win32stm.cpp | 7 +++-- + 12 files changed, 165 insertions(+), 24 deletions(-) + +diff --git a/arcread.cpp b/arcread.cpp +index b0cf39f..639ed44 100644 +--- a/arcread.cpp ++++ b/arcread.cpp +@@ -1441,7 +1441,9 @@ bool Archive::ReadSubData(Array *UnpData,File *DestFile,bool TestMode) + { + if (SubHead.UnpSize>0x1000000) + { +- // So huge allocation must never happen in valid archives. ++ // Prevent the excessive allocation. When reading to memory, normally ++ // this function operates with reasonably small blocks, such as ++ // the archive comment, NTFS ACL or "Zone.Identifier" NTFS stream. + uiMsg(UIERROR_SUBHEADERUNKNOWN,FileName); + return false; + } +diff --git a/extinfo.cpp b/extinfo.cpp +index 5cb90a4..3ef80e4 100644 +--- a/extinfo.cpp ++++ b/extinfo.cpp +@@ -111,6 +111,66 @@ static bool LinkInPath(const wchar *Name) + return false; + } + ++// Delete symbolic links in file path, if any, and replace them by directories. ++// Prevents extracting files outside of destination folder with symlink chains. ++bool LinksToDirs(const wchar *SrcName,const wchar *SkipPart,std::wstring &LastChecked) ++{ ++ // Unlike Unix, Windows doesn't expand lnk1 in symlink targets like ++ // "lnk1/../dir", but converts the path to "dir". In Unix we need to call ++ // this function to prevent placing unpacked files outside of destination ++ // folder if previously we unpacked "dir/lnk1" -> "..", ++ // "dir/lnk2" -> "lnk1/.." and "dir/lnk2/anypath/poc.txt". ++ // We may still need this function to prevent abusing symlink chains ++ // in link source path if we remove detection of such chains ++ // in IsRelativeSymlinkSafe. This function seems to make other symlink ++ // related safety checks redundant, but for now we prefer to keep them too. ++ // ++ // 2022.12.01: the performance impact is minimized after adding the check ++ // against the previous path and enabling this verification only after ++ // extracting a symlink with ".." in target. So we enabled it for Windows ++ // as well for extra safety. ++//#ifdef _UNIX ++ wchar Path[NM]; ++ if (wcslen(SrcName)>=ASIZE(Path)) ++ return false; // It should not be that long, skip. ++ wcsncpyz(Path,SrcName,ASIZE(Path)); ++ ++ size_t SkipLength=wcslen(SkipPart); ++ ++ if (SkipLength>0 && wcsncmp(Path,SkipPart,SkipLength)!=0) ++ SkipLength=0; // Parameter validation, not really needed now. ++ ++ // Do not check parts already checked in previous path to improve performance. ++ for (uint I=0;Path[I]!=0 && ISkipLength) ++ SkipLength=I; ++ ++ wchar *Name=Path; ++ if (SkipLength>0) ++ { ++ // Avoid converting symlinks in destination path part specified by user. ++ Name+=SkipLength; ++ while (IsPathDiv(*Name)) ++ Name++; ++ } ++ ++ for (wchar *s=Path+wcslen(Path)-1;s>Name;s--) ++ if (IsPathDiv(*s)) ++ { ++ *s=0; ++ FindData FD; ++ if (FindFile::FastFind(Path,&FD,true) && FD.IsLink) ++#ifdef _WIN_ALL ++ if (!DelDir(Path)) ++#else ++ if (!DelFile(Path)) ++#endif ++ return false; // Couldn't delete the symlink to replace it with directory. ++ } ++ LastChecked=SrcName; ++//#endif ++ return true; ++} + + bool IsRelativeSymlinkSafe(CommandData *Cmd,const wchar *SrcName,const wchar *PrepSrcName,const wchar *TargetName) + { +@@ -131,10 +191,14 @@ bool IsRelativeSymlinkSafe(CommandData *Cmd,const wchar *SrcName,const wchar *Pr + UpLevels++; + TargetName++; + } +- // If link target includes "..", it must not have another links +- // in the path, because they can bypass our safety check. For example, ++ // If link target includes "..", it must not have another links in its ++ // source path, because they can bypass our safety check. For example, + // suppose we extracted "lnk1" -> "." first and "lnk1/lnk2" -> ".." next +- // or "dir/lnk1" -> ".." first and "dir/lnk1/lnk2" -> ".." next. ++ // or "dir/lnk1" -> ".." first, "dir/lnk1/lnk2" -> ".." next and ++ // file "dir/lnk1/lnk2/poc.txt" last. ++ // Do not confuse with link chains in target, this is in link source path. ++ // It is important for Windows too, though this check can be omitted ++ // if LinksToDirs is invoked in Windows as well. + if (UpLevels>0 && LinkInPath(PrepSrcName)) + return false; + +@@ -160,15 +224,25 @@ bool IsRelativeSymlinkSafe(CommandData *Cmd,const wchar *SrcName,const wchar *Pr + } + + +-bool ExtractSymlink(CommandData *Cmd,ComprDataIO &DataIO,Archive &Arc,const wchar *LinkName) ++bool ExtractSymlink(CommandData *Cmd,ComprDataIO &DataIO,Archive &Arc,const wchar *LinkName,bool &UpLink) + { ++ // Returning true in Uplink indicates that link target might include ".." ++ // and enables additional checks. It is ok to falsely return true here, ++ // as it implies only the minor performance penalty. But we shall always ++ // return true for links with ".." in target for security reason. ++ ++ UpLink=true; // Assume the target might include potentially unsafe "..". ++#if defined(SAVE_LINKS) && defined(_UNIX) || defined(_WIN_ALL) ++ if (Arc.Format==RARFMT50) // For RAR5 archives we can check RedirName for both Unix and Windows. ++ UpLink=wcsstr(Arc.FileHead.RedirName,L"..")!=NULL; ++#endif + #if defined(SAVE_LINKS) && defined(_UNIX) + // For RAR 3.x archives we process links even in test mode to skip link data. + if (Arc.Format==RARFMT15) +- return ExtractUnixLink30(Cmd,DataIO,Arc,LinkName); ++ return ExtractUnixLink30(Cmd,DataIO,Arc,LinkName,UpLink); + if (Arc.Format==RARFMT50) + return ExtractUnixLink50(Cmd,LinkName,&Arc.FileHead); +-#elif defined _WIN_ALL ++#elif defined(_WIN_ALL) + // RAR 5.0 archives store link information in file header, so there is + // no need to additionally test it if we do not create a file. + if (Arc.Format==RARFMT50) +diff --git a/extinfo.hpp b/extinfo.hpp +index 2b0005d..9c42f7d 100644 +--- a/extinfo.hpp ++++ b/extinfo.hpp +@@ -1,8 +1,9 @@ + #ifndef _RAR_EXTINFO_ + #define _RAR_EXTINFO_ + ++bool LinksToDirs(const wchar *SrcName,const wchar *SkipPart,std::wstring &LastChecked); + bool IsRelativeSymlinkSafe(CommandData *Cmd,const wchar *SrcName,const wchar *PrepSrcName,const wchar *TargetName); +-bool ExtractSymlink(CommandData *Cmd,ComprDataIO &DataIO,Archive &Arc,const wchar *LinkName); ++bool ExtractSymlink(CommandData *Cmd,ComprDataIO &DataIO,Archive &Arc,const wchar *LinkName,bool &UpLink); + #ifdef _UNIX + void SetUnixOwner(Archive &Arc,const wchar *FileName); + #endif +diff --git a/extract.cpp b/extract.cpp +index 76ee2d4..5e1cb26 100644 +--- a/extract.cpp ++++ b/extract.cpp +@@ -9,6 +9,12 @@ CmdExtract::CmdExtract(CommandData *Cmd) + *DestFileName=0; + + TotalFileCount=0; ++ ++ // Common for all archives involved. Set here instead of DoExtract() ++ // to use in unrar.dll too. Allows to avoid LinksToDirs() calls ++ // and save CPU time in no symlinks including ".." in target were extracted. ++ UpLinkExtracted=false; ++ + Unp=new Unpack(&DataIO); + #ifdef RAR_SMP + Unp->SetThreads(Cmd->Threads); +@@ -98,6 +104,7 @@ void CmdExtract::ExtractArchiveInit(Archive &Arc) + AnySolidDataUnpackedWell=false; + + StartTime.SetCurrentTime(); ++ LastCheckedSymlink.clear(); + } + + +@@ -511,6 +518,9 @@ bool CmdExtract::ExtractCurrentFile(Archive &Arc,size_t HeaderSize,bool &Repeat) + if (*Cmd->DllDestName!=0) + wcsncpyz(DestFileName,Cmd->DllDestName,ASIZE(DestFileName)); + #endif ++ if (ExtrFile && Command!='P' && !Cmd->Test && !Cmd->AbsoluteLinks && ++ UpLinkExtracted) ++ ExtrFile=LinksToDirs(DestFileName,Cmd->ExtrPath,LastCheckedSymlink); + + File CurFile; + +@@ -637,6 +647,18 @@ bool CmdExtract::ExtractCurrentFile(Archive &Arc,size_t HeaderSize,bool &Repeat) + + if (Type==FSREDIR_HARDLINK || Type==FSREDIR_FILECOPY) + { ++ wchar RedirName[NM]; ++ // 2022.11.15: Might be needed when unpacking WinRAR 5.0 links with ++ // Unix RAR. WinRAR 5.0 used \ path separators here, when beginning ++ // from 5.10 even Windows version uses / internally and converts ++ // them to \ when reading FHEXTRA_REDIR. ++ // We must perform this conversion before ConvertPath call, ++ // so paths mixing different slashes like \dir1/dir2\file are ++ // processed correctly. ++ SlashToNative(Arc.FileHead.RedirName,RedirName,ASIZE(RedirName)); ++ ++ ConvertPath(RedirName,RedirName,ASIZE(RedirName)); ++ + wchar NameExisting[NM]; + ExtrPrepareName(Arc,Arc.FileHead.RedirName,NameExisting,ASIZE(NameExisting)); + if (FileCreateMode && *NameExisting!=0) // *NameExisting can be 0 in case of excessive -ap switch. +@@ -649,7 +671,22 @@ bool CmdExtract::ExtractCurrentFile(Archive &Arc,size_t HeaderSize,bool &Repeat) + if (Type==FSREDIR_UNIXSYMLINK || Type==FSREDIR_WINSYMLINK || Type==FSREDIR_JUNCTION) + { + if (FileCreateMode) +- LinkSuccess=ExtractSymlink(Cmd,DataIO,Arc,DestFileName); ++ { ++ bool UpLink; ++ LinkSuccess=ExtractSymlink(Cmd,DataIO,Arc,DestFileName,UpLink); ++ UpLinkExtracted|=LinkSuccess && UpLink; ++ ++ // We do not actually need to reset the cache here if we cache ++ // only the single last checked path, because at this point ++ // it will always contain the link own path and link can't ++ // overwrite its parent folder. But if we ever decide to cache ++ // several already checked paths, we'll need to reset them here. ++ // Otherwise if no files were created in one of such paths, ++ // let's say because of file create error, it might be possible ++ // to overwrite the path with link and avoid checks. We keep this ++ // code here as a reminder in case of possible modifications. ++ LastCheckedSymlink.clear(); // Reset cache for safety reason. ++ } + } + else + { +@@ -824,8 +861,6 @@ void CmdExtract::UnstoreFile(ComprDataIO &DataIO,int64 DestUnpSize) + + bool CmdExtract::ExtractFileCopy(File &New,wchar *ArcName,wchar *NameNew,wchar *NameExisting,size_t NameExistingSize) + { +- SlashToNative(NameExisting,NameExisting,NameExistingSize); // Not needed for RAR 5.1+ archives. +- + File Existing; + if (!Existing.WOpen(NameExisting)) + { +@@ -1068,6 +1103,8 @@ void CmdExtract::ExtrCreateDir(Archive &Arc,const wchar *ArcFileName) + } + if (!DirExist) + { ++ if (!Cmd->AbsoluteLinks && UpLinkExtracted) ++ LinksToDirs(DestFileName,Cmd->ExtrPath,LastCheckedSymlink); + CreatePath(DestFileName,true); + MDCode=MakeDir(DestFileName,!Cmd->IgnoreGeneralAttr,Arc.FileHead.FileAttr); + if (MDCode!=MKDIR_SUCCESS) +@@ -1075,6 +1112,8 @@ void CmdExtract::ExtrCreateDir(Archive &Arc,const wchar *ArcFileName) + wchar OrigName[ASIZE(DestFileName)]; + wcsncpyz(OrigName,DestFileName,ASIZE(OrigName)); + MakeNameUsable(DestFileName,true); ++ if (!Cmd->AbsoluteLinks && UpLinkExtracted) ++ LinksToDirs(DestFileName,Cmd->ExtrPath,LastCheckedSymlink); + CreatePath(DestFileName,true); + MDCode=MakeDir(DestFileName,!Cmd->IgnoreGeneralAttr,Arc.FileHead.FileAttr); + #ifndef SFX_MODULE +diff --git a/extract.hpp b/extract.hpp +index 325928d..a2b65dd 100644 +--- a/extract.hpp ++++ b/extract.hpp +@@ -47,6 +47,11 @@ class CmdExtract + bool PrevProcessed; // If previous file was successfully extracted or tested. + wchar DestFileName[NM]; + bool PasswordCancelled; ++ bool UpLinkExtracted; // At least one symlink with ".." in target was extracted. ++ ++ // Last path checked for symlinks. We use it to improve the performance, ++ // so we do not check recently checked folders again. ++ std::wstring LastCheckedSymlink; + #if defined(_WIN_ALL) && !defined(SFX_MODULE) && !defined(SILENT) + bool Fat32,NotFat32; + #endif +diff --git a/hardlinks.cpp b/hardlinks.cpp +index 946a395..4b980de 100644 +--- a/hardlinks.cpp ++++ b/hardlinks.cpp +@@ -1,7 +1,5 @@ + bool ExtractHardlink(wchar *NameNew,wchar *NameExisting,size_t NameExistingSize) + { +- SlashToNative(NameExisting,NameExisting,NameExistingSize); // Not needed for RAR 5.1+ archives. +- + if (!FileExist(NameExisting)) + { + uiMsg(UIERROR_HLINKCREATE,NameNew); +diff --git a/model.cpp b/model.cpp +index 83391c5..d7382c7 100644 +--- a/model.cpp ++++ b/model.cpp +@@ -532,13 +532,14 @@ inline bool RARPPM_CONTEXT::decodeSymbol2(ModelPPM *Model) + Model->Coder.SubRange.LowCount=HiCnt; + Model->Coder.SubRange.HighCount=Model->Coder.SubRange.scale; + i=NumStats-Model->NumMasked; +- pps--; ++ // 2022.12.02: we removed pps-- here and changed the code below to avoid ++ // "array subscript -1 is outside array bounds" warning in some compilers. + do + { +- pps++; + if (pps>=ps+ASIZE(ps)) // Extra safety check. + return false; + Model->CharMask[(*pps)->Symbol]=Model->EscCount; ++ pps++; + } while ( --i ); + psee2c->Summ += Model->Coder.SubRange.scale; + Model->NumMasked = NumStats; +diff --git a/os.hpp b/os.hpp +index b69f348..a73dc7c 100644 +--- a/os.hpp ++++ b/os.hpp +@@ -13,6 +13,7 @@ + #endif + + #include ++#include + + + #if defined(_WIN_ALL) || defined(_EMX) +diff --git a/pathfn.cpp b/pathfn.cpp +index 278863c..921175a 100644 +--- a/pathfn.cpp ++++ b/pathfn.cpp +@@ -31,11 +31,16 @@ wchar* ConvertPath(const wchar *SrcPath,wchar *DestPath,size_t DestSize) + const wchar *s=DestPtr; + if (s[0]!=0 && IsDriveDiv(s[1])) + s+=2; +- if (s[0]=='\\' && s[1]=='\\') ++ // Skip UNC Windows \\server\share\ or Unix //server/share/ ++ if (IsPathDiv(s[0]) && IsPathDiv(s[1])) + { +- const wchar *Slash=wcschr(s+2,'\\'); +- if (Slash!=NULL && (Slash=wcschr(Slash+1,'\\'))!=NULL) +- s=Slash+1; ++ uint SlashCount=0; ++ for (const wchar *t=s+2;*t!=0;t++) ++ if (IsPathDiv(*t) && ++SlashCount==2) ++ { ++ s=t+1; // Found two more path separators after leading two. ++ break; ++ } + } + for (const wchar *t=s;*t!=0;t++) + if (IsPathDiv(*t)) +diff --git a/timefn.hpp b/timefn.hpp +index 5271361..49b61e8 100644 +--- a/timefn.hpp ++++ b/timefn.hpp +@@ -22,6 +22,17 @@ class RarTime + + // Internal time representation in 1/TICKS_PER_SECOND since 01.01.1601. + // We use nanoseconds here to handle the high precision Unix time. ++ // It allows dates up to July 2185. ++ // ++ // If we'll ever need to extend the date range, we can define a lower ++ // precision Windows version of TICKS_PER_SECOND. But then Unix and Windows ++ // versions can differ in least significant digits of "lt" time output ++ // for Unix archives. ++ // Alternatively we can introduce 'bool HighPrecision' set to true ++ // in SetUnixNS() and TicksPerSecond() instead of constant above. ++ // It might be more reliable than defining TicksPerSecond variable, ++ // which wouldn't survive memset of any structure hosting RarTime. ++ // We would need to eliminate all such memsets in the entire code first. + uint64 itime; + public: + // RarLocalTime::Reminder precision. Must be equal to TICKS_PER_SECOND. +diff --git a/ulinks.cpp b/ulinks.cpp +index 1656824..f97776f 100644 +--- a/ulinks.cpp ++++ b/ulinks.cpp +@@ -45,7 +45,8 @@ static bool IsFullPath(const char *PathA) // Unix ASCII version. + } + + +-bool ExtractUnixLink30(CommandData *Cmd,ComprDataIO &DataIO,Archive &Arc,const wchar *LinkName) ++static bool ExtractUnixLink30(CommandData *Cmd,ComprDataIO &DataIO,Archive &Arc, ++ const wchar *LinkName,bool &UpLink) + { + char Target[NM]; + if (IsLink(Arc.FileHead.FileAttr)) +@@ -75,13 +76,13 @@ bool ExtractUnixLink30(CommandData *Cmd,ComprDataIO &DataIO,Archive &Arc,const w + if (!Cmd->AbsoluteLinks && (*TargetW==0 || IsFullPath(TargetW) || + !IsRelativeSymlinkSafe(Cmd,Arc.FileHead.FileName,LinkName,TargetW))) + return false; ++ UpLink=strstr(Target,"..")!=NULL; + return UnixSymlink(Target,LinkName,&Arc.FileHead.mtime,&Arc.FileHead.atime); + } + return false; + } + +- +-bool ExtractUnixLink50(CommandData *Cmd,const wchar *Name,FileHeader *hd) ++static bool ExtractUnixLink50(CommandData *Cmd,const wchar *Name,FileHeader *hd) + { + char Target[NM]; + WideToChar(hd->RedirName,Target,ASIZE(Target)); +diff --git a/win32stm.cpp b/win32stm.cpp +index eaa43be..7e5e073 100644 +--- a/win32stm.cpp ++++ b/win32stm.cpp +@@ -117,8 +117,11 @@ void ExtractStreams(Archive &Arc,const wchar *FileName,bool TestMode) + if ((fd.FileAttr & FILE_ATTRIBUTE_READONLY)!=0) + SetFileAttr(FileName,fd.FileAttr & ~FILE_ATTRIBUTE_READONLY); + File CurFile; +- if (CurFile.WCreate(FullName) && Arc.ReadSubData(NULL,&CurFile,false)) +- CurFile.Close(); ++ if (CurFile.WCreate(FullName)) ++ { ++ if (Arc.ReadSubData(NULL,&CurFile,false)) ++ CurFile.Close(); ++ } + File HostFile; + if (Found && HostFile.Open(FileName,FMF_OPENSHARED|FMF_UPDATE)) + SetFileTime(HostFile.GetHandle(),&fd.ftCreationTime,&fd.ftLastAccessTime, +-- +2.39.3 + diff --git a/unrar.spec b/unrar.spec index a64da31d64f8815c11f66c6a18c89141dc5246d2..13828ad1ace36bbee128a0509edc469a7d253e8c 100644 --- a/unrar.spec +++ b/unrar.spec @@ -1,4 +1,4 @@ -%define anolis_release 2 +%define anolis_release 3 Name: unrar Version: 5.9.4 Release: 1.%{anolis_release}%{?dist} @@ -9,6 +9,7 @@ Source0: https://www.rarlab.com/rar/unrarsrc-%{version}.tar.gz # Man page from Debian Source1: unrar.1 Patch0: unrar-5.9.4-build.patch +Patch1: CVE-2022-48579.patch BuildRequires: gcc-c++ @@ -93,6 +94,9 @@ touch -r license.txt %{buildroot}%{_sysconfdir}/rpm/macros.unrar %changelog +* Fri Sep 20 2024 pangqing - 5.9.4-2.3 +- Fix CVE-2022-48579 + * Tue Nov 07 2023 yangxianzhao - 5.9.4-2.2 - rebuild for qt