Re: rar oldstable update for CVE-2007-0855
Martin Meredith wrote:
> On Mon, 2007-12-31 at 17:10 +0100, Nico Golde wrote:
>> the following CVE (Common Vulnerabilities & Exposures) id was
>> published for rar some time ago.
>> | Stack-based buffer overflow in RARLabs Unrar, as packaged in WinRAR
>> | and possibly other products, allows user-assisted remote attackers to
>> | execute arbitrary code via a crafted, password-protected archive.
>> Unfortunately the vulnerability described above is not important enough
>> to get it fixed via regular security update in Debian oldstable. It does
>> not warrant a DSA.
>> However it would be nice if this could get fixed via a regular point update.
>> Please contact the release time for this.
> Hi there, I'm unsure as to what you want for this.
> From what I can tell, you're requesting an update of rar for oldstable?
> May I remind you that the only way to fix this in _rar_ for oldstable is
> to update it to at least 3.7 beta 1 of rar. due to it being a binary
Hmm, it sounds better to remove the package from oldstable and have a
note in the Release Notes about it...