Bug#1050562: bookworm-pu: package unrar-nonfree/1:6.2.6-1+deb12u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1050562: bookworm-pu: package unrar-nonfree/1:6.2.6-1+deb12u1
From: YOKOTA Hiroshi <yokota.hgml@gmail.com>
Date: Sat, 26 Aug 2023 19:29:08 +0900
Message-id: <[🔎] 169304574808.17445.16496790788809822950.reportbug@loadstone.darkstar.local>
Reply-to: YOKOTA Hiroshi <yokota.hgml@gmail.com>, 1050562@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: unrar-nonfree@packages.debian.org, team@security.debian.org, yokota.hgml@gmail.com
Control: affects -1 + src:unrar-nonfree

[ Reason ]
To fix CVE-2023-40477.
CVE-2023-40477 was fixed in unrar-nonfree 6.2.9-1 that already released for
trixie/sid.

[ Impact ]
If not fixed, it allows remote attackers to execute arbitrary code.

[ Tests ]
There are no test case for CVE-2023-40477.
Debian autopkgtest for normal operation was passed.

[ Risks ]
There are no test case for CVE-2023-40477.
I can't confirm the bug was fixed.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Apply upstream fix in UnRAR 6.2.9 to unrar-nonfree 6.2.6-1 that in bookworm.

Debdiff canbe examine from online:
  https://github.com/debian-calibre/unrar-
nonfree/compare/debian/1%256.2.6-1...debian/1%256.2.6-1+deb12u1

[ Other info ]
* RARLAB WinRAR Recovery Volume Improper Validation of Array Index Remote Code
  Execution Vulnerability
  https://www.zerodayinitiative.com/advisories/ZDI-23-1152/

* WinRAR 6.23 final released
  https://www.win-
rar.com/singlenewsview.html?&L=0&tx_ttnews%5Btt_news%5D=232&cHash=c5bf79590657e32554c6683296a8e8aa

diff -Nru unrar-nonfree-6.2.6/debian/changelog unrar-nonfree-6.2.6/debian/changelog
--- unrar-nonfree-6.2.6/debian/changelog	2023-02-23 12:31:56.000000000 +0900
+++ unrar-nonfree-6.2.6/debian/changelog	2023-08-26 16:27:26.000000000 +0900
@@ -1,3 +1,9 @@
+unrar-nonfree (1:6.2.6-1+deb12u1) bookworm; urgency=medium
+
+  * Fix CVE-2023-40477
+
+ -- YOKOTA Hiroshi <yokota.hgml@gmail.com>  Sat, 26 Aug 2023 16:27:26 +0900
+
 unrar-nonfree (1:6.2.6-1) unstable; urgency=medium
 
   * New upstream version 6.2.6
diff -Nru unrar-nonfree-6.2.6/debian/patches/0015-CVE-2023-40477.patch unrar-nonfree-6.2.6/debian/patches/0015-CVE-2023-40477.patch
--- unrar-nonfree-6.2.6/debian/patches/0015-CVE-2023-40477.patch	1970-01-01 09:00:00.000000000 +0900
+++ unrar-nonfree-6.2.6/debian/patches/0015-CVE-2023-40477.patch	2023-08-26 16:27:26.000000000 +0900
@@ -0,0 +1,106 @@
+From: YOKOTA Hiroshi <yokota.hgml@gmail.com>
+Date: Fri, 21 Jul 2023 00:33:42 +0900
+Subject: CVE-2023-40477
+
+---
+ getbits.cpp     |  8 ++++----
+ pathfn.cpp      |  2 +-
+ recvol3.cpp     | 11 +++++++++--
+ secpassword.cpp |  8 ++++----
+ 4 files changed, 18 insertions(+), 11 deletions(-)
+
+diff --git a/getbits.cpp b/getbits.cpp
+index 8805f27..5d5ad2b 100644
+--- a/getbits.cpp
++++ b/getbits.cpp
+@@ -5,11 +5,11 @@ BitInput::BitInput(bool AllocBuffer)
+   ExternalBuffer=false;
+   if (AllocBuffer)
+   {
+-    // getbits*() attempt to read data from InAddr, ... InAddr+3 positions.
+-    // So let's allocate 3 additional bytes for situation, when we need to
++    // getbits*() attempt to read data from InAddr, ... InAddr+4 positions.
++    // So let's allocate 4 additional bytes for situation, when we need to
+     // read only 1 byte from the last position of buffer and avoid a crash
+-    // from access to next 3 bytes, which contents we do not need.
+-    size_t BufSize=MAX_SIZE+3;
++    // from access to next 4 bytes, which contents we do not need.
++    size_t BufSize=MAX_SIZE+4;
+     InBuf=new byte[BufSize];
+ 
+     // Ensure that we get predictable results when accessing bytes in area
+diff --git a/pathfn.cpp b/pathfn.cpp
+index 49d16a8..7a54354 100644
+--- a/pathfn.cpp
++++ b/pathfn.cpp
+@@ -746,7 +746,7 @@ static void GenArcName(wchar *ArcName,size_t MaxSize,const wchar *GenerateMask,u
+       // Here we ensure that we have enough 'N' characters to fit all digits
+       // of archive number. We'll replace them by actual number later
+       // in this function.
+-      if (NCount<Digits)
++      if (NCount<Digits && wcslen(Mask)+Digits-NCount<ASIZE(Mask))
+       {
+         wmemmove(Mask+I+Digits,Mask+I+NCount,wcslen(Mask+I+NCount)+1);
+         wmemset(Mask+I,'N',Digits);
+diff --git a/recvol3.cpp b/recvol3.cpp
+index ecf6dd3..0138d0f 100644
+--- a/recvol3.cpp
++++ b/recvol3.cpp
+@@ -226,7 +226,7 @@ bool RecVolumes3::Restore(CommandData *Cmd,const wchar *Name,bool Silent)
+       if (WrongParam)
+         continue;
+     }
+-    if (P[1]+P[2]>255)
++    if (P[0]<=0 || P[1]<=0 || P[2]<=0 || P[1]+P[2]>255 || P[0]+P[2]-1>255)
+       continue;
+     if (RecVolNumber!=0 && RecVolNumber!=P[1] || FileNumber!=0 && FileNumber!=P[2])
+     {
+@@ -238,7 +238,14 @@ bool RecVolumes3::Restore(CommandData *Cmd,const wchar *Name,bool Silent)
+     wcsncpyz(PrevName,CurName,ASIZE(PrevName));
+     File *NewFile=new File;
+     NewFile->TOpen(CurName);
+-    SrcFile[FileNumber+P[0]-1]=NewFile;
++
++    // This check is redundant taking into account P[I]>255 and P[0]+P[2]-1>255
++    // checks above. Still we keep it here for better clarity and security.
++    int SrcPos=FileNumber+P[0]-1;
++    if (SrcPos<0 || SrcPos>=ASIZE(SrcFile))
++      continue;
++    SrcFile[SrcPos]=NewFile;
++
+     FoundRecVolumes++;
+ 
+     if (RecFileSize==0)
+diff --git a/secpassword.cpp b/secpassword.cpp
+index 42ed47d..08da549 100644
+--- a/secpassword.cpp
++++ b/secpassword.cpp
+@@ -70,7 +70,7 @@ void SecPassword::Clean()
+ {
+   PasswordSet=false;
+   if (Password.size()>0)
+-    cleandata(&Password[0],Password.size());
++    cleandata(&Password[0],Password.size()*sizeof(Password[0]));
+ }
+  
+ 
+@@ -141,7 +141,7 @@ size_t SecPassword::Length()
+   wchar Plain[MAXPASSWORD];
+   Get(Plain,ASIZE(Plain));
+   size_t Length=wcslen(Plain);
+-  cleandata(Plain,ASIZE(Plain));
++  cleandata(Plain,sizeof(Plain));
+   return Length;
+ }
+ 
+@@ -156,8 +156,8 @@ bool SecPassword::operator == (SecPassword &psw)
+   Get(Plain1,ASIZE(Plain1));
+   psw.Get(Plain2,ASIZE(Plain2));
+   bool Result=wcscmp(Plain1,Plain2)==0;
+-  cleandata(Plain1,ASIZE(Plain1));
+-  cleandata(Plain2,ASIZE(Plain2));
++  cleandata(Plain1,sizeof(Plain1));
++  cleandata(Plain2,sizeof(Plain2));
+   return Result;
+ }
+ 
diff -Nru unrar-nonfree-6.2.6/debian/patches/series unrar-nonfree-6.2.6/debian/patches/series
--- unrar-nonfree-6.2.6/debian/patches/series	2023-02-23 12:31:56.000000000 +0900
+++ unrar-nonfree-6.2.6/debian/patches/series	2023-08-26 16:27:26.000000000 +0900
@@ -12,3 +12,4 @@
 0012-Add-PHONY-target.patch
 0013-Add-newline-after-error-message-Closes-774166.patch
 0014-Compiler-warning-fix.patch
+0015-CVE-2023-40477.patch

Reply to:

Follow-Ups:
- Processed: bookworm-pu: package unrar-nonfree/1:6.2.6-1+deb12u1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Processed: bookworm-pu: package unrar-nonfree/1:6.2.6-1+deb12u1
Next by Date: Bug#1043144: transition: mutter/gnome-shell 44
Previous by thread: Processed: Re: Bug#1050546: bookworm-pu: package vorta/0.8.10-1+deb12u1
Next by thread: Processed: bookworm-pu: package unrar-nonfree/1:6.2.6-1+deb12u1
Index(es):
- Date
- Thread