libclamunrar and CVE-2023-40477

To: debian-security-tracker@lists.debian.org
Subject: libclamunrar and CVE-2023-40477
From: Andrew C Aitchison <andrew@aitchison.me.uk>
Date: Wed, 13 Sep 2023 09:47:33 +0100 (BST)
Message-id: <[🔎] 4506c490-9469-edec-f8ed-4055bbf1d40e@aitchison.me.uk>

Hot on the heels of CVE-2023-20197, ClamAV have announced another securityissue, as a result of the RaR issue CVE-2023-40477:

https://blog.clamav.net/2023/08/clamav-120-feature-version-and-111-102.html

This probably comes under libclamunrar rather than clamav,
since it affects the non-free unrar package bundled by ClamAV
but unbundled by Debian.

I am afraid I have not been able to build any of the recent
versions of clamav (I am on Ubuntu which probably does not help)
and cannot confirm whether or not the fixed unrar-nonfree package
for sid/CVE-2023-40477 is sufficient.

--
Andrew C. Aitchison                      Kendal, UK
                   andrew@aitchison.me.uk

Reply to:

Prev by Date: External check
Next by Date: External check
Previous by thread: External check
Next by thread: Facing error.
Index(es):
- Date
- Thread