Re: unrar: some issues missing from security tracker data
Hello all,
> CVE-2023-40477 mentions to be in RAR4 recovery volume processing code, which is recvol.cpp in the
> unrar source. There was no 6.3 unrar source release yet...
WinRAR version number "6.23" is application version.
Upstream says CVE-2023-40477 was fixed in WinRAR 6.23 beta 1.
https://www.win-rar.com/singlenewsview.html?&L=0&tx_ttnews%5Btt_news%5D=232&cHash=c5bf79590657e32554c6683296a8e8aa
Application version "6.23 beta 1" means source code version "6.2.9".
So, CVE-2023-40477 was fixed in UnRAR 6.2.9 that already released.
I was extracted 6.2.9 fix and apply it to Git for other UnRAR version
that distributed in Debian 10,11,12.
Please examine the fix from unrar-nonfree Git repository:
[Debian 10]
https://github.com/debian-calibre/unrar-nonfree/tree/buster-update
=> fix commit:
https://github.com/debian-calibre/unrar-nonfree/commit/7b20ce008d0339316c56bb370063727acaf6c401
[Debian 11]
https://github.com/debian-calibre/unrar-nonfree/tree/bullseye-update
=> fix commit:
https://github.com/debian-calibre/unrar-nonfree/commit/e0e1632b924e3e466974fa97dc2ac95883784688
[Debian 12]
https://github.com/debian-calibre/unrar-nonfree/tree/bookworm-update
=> fix commit:
https://github.com/debian-calibre/unrar-nonfree/commit/a4dcd941aae01980c7b3a32c180bfd2e2a9de202
FYI: RAR application version can be taken from command line help
message or "version.hpp" file in source code. You can examine
application version numbers from Git commit history.
https://github.com/debian-calibre/unrar-nonfree/commits/master/version.hpp
--
YOKOTA Hiroshi
Reply to: