Am 25.08.23 um 09:49 schrieb Salvatore Bonaccorso:
Hi Chris, On Thu, Aug 24, 2023 at 04:02:22PM +0200, Christoph Anton Mitterer wrote:Hey. Unrar data in the security tracker seems to miss: CVE-2023-40477 https://www.zerodayinitiative.com/advisories/ZDI-23-1152/ CVE-2023-38831 https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ AFAIU, at least the first one is already fixed in Debian (not sure about the 2nd).I'm not sure if those are WinRAR specific or apply as well to src:rar and src:unrar-nonfree.
CVE-2023-40477 mentions to be in RAR4 recovery volume processing code, which is recvol.cpp in the unrar source. There was no 6.3 unrar source release yet...
I guess CVE-2023-38831 is only in WinRAR as that is about hiding file extensions and even if the unix version was affected it would not make much noise with .exe not being executable by name.