Bug#1050562: bookworm-pu: package unrar-nonfree/1:6.2.6-1+deb12u1
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: unrar-nonfree@packages.debian.org, team@security.debian.org, yokota.hgml@gmail.com
Control: affects -1 + src:unrar-nonfree
[ Reason ]
To fix CVE-2023-40477.
CVE-2023-40477 was fixed in unrar-nonfree 6.2.9-1 that already released for
trixie/sid.
[ Impact ]
If not fixed, it allows remote attackers to execute arbitrary code.
[ Tests ]
There are no test case for CVE-2023-40477.
Debian autopkgtest for normal operation was passed.
[ Risks ]
There are no test case for CVE-2023-40477.
I can't confirm the bug was fixed.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Apply upstream fix in UnRAR 6.2.9 to unrar-nonfree 6.2.6-1 that in bookworm.
Debdiff canbe examine from online:
https://github.com/debian-calibre/unrar-
nonfree/compare/debian/1%256.2.6-1...debian/1%256.2.6-1+deb12u1
[ Other info ]
* RARLAB WinRAR Recovery Volume Improper Validation of Array Index Remote Code
Execution Vulnerability
https://www.zerodayinitiative.com/advisories/ZDI-23-1152/
* WinRAR 6.23 final released
https://www.win-
rar.com/singlenewsview.html?&L=0&tx_ttnews%5Btt_news%5D=232&cHash=c5bf79590657e32554c6683296a8e8aa
diff -Nru unrar-nonfree-6.2.6/debian/changelog unrar-nonfree-6.2.6/debian/changelog
--- unrar-nonfree-6.2.6/debian/changelog 2023-02-23 12:31:56.000000000 +0900
+++ unrar-nonfree-6.2.6/debian/changelog 2023-08-26 16:27:26.000000000 +0900
@@ -1,3 +1,9 @@
+unrar-nonfree (1:6.2.6-1+deb12u1) bookworm; urgency=medium
+
+ * Fix CVE-2023-40477
+
+ -- YOKOTA Hiroshi <yokota.hgml@gmail.com> Sat, 26 Aug 2023 16:27:26 +0900
+
unrar-nonfree (1:6.2.6-1) unstable; urgency=medium
* New upstream version 6.2.6
diff -Nru unrar-nonfree-6.2.6/debian/patches/0015-CVE-2023-40477.patch unrar-nonfree-6.2.6/debian/patches/0015-CVE-2023-40477.patch
--- unrar-nonfree-6.2.6/debian/patches/0015-CVE-2023-40477.patch 1970-01-01 09:00:00.000000000 +0900
+++ unrar-nonfree-6.2.6/debian/patches/0015-CVE-2023-40477.patch 2023-08-26 16:27:26.000000000 +0900
@@ -0,0 +1,106 @@
+From: YOKOTA Hiroshi <yokota.hgml@gmail.com>
+Date: Fri, 21 Jul 2023 00:33:42 +0900
+Subject: CVE-2023-40477
+
+---
+ getbits.cpp | 8 ++++----
+ pathfn.cpp | 2 +-
+ recvol3.cpp | 11 +++++++++--
+ secpassword.cpp | 8 ++++----
+ 4 files changed, 18 insertions(+), 11 deletions(-)
+
+diff --git a/getbits.cpp b/getbits.cpp
+index 8805f27..5d5ad2b 100644
+--- a/getbits.cpp
++++ b/getbits.cpp
+@@ -5,11 +5,11 @@ BitInput::BitInput(bool AllocBuffer)
+ ExternalBuffer=false;
+ if (AllocBuffer)
+ {
+- // getbits*() attempt to read data from InAddr, ... InAddr+3 positions.
+- // So let's allocate 3 additional bytes for situation, when we need to
++ // getbits*() attempt to read data from InAddr, ... InAddr+4 positions.
++ // So let's allocate 4 additional bytes for situation, when we need to
+ // read only 1 byte from the last position of buffer and avoid a crash
+- // from access to next 3 bytes, which contents we do not need.
+- size_t BufSize=MAX_SIZE+3;
++ // from access to next 4 bytes, which contents we do not need.
++ size_t BufSize=MAX_SIZE+4;
+ InBuf=new byte[BufSize];
+
+ // Ensure that we get predictable results when accessing bytes in area
+diff --git a/pathfn.cpp b/pathfn.cpp
+index 49d16a8..7a54354 100644
+--- a/pathfn.cpp
++++ b/pathfn.cpp
+@@ -746,7 +746,7 @@ static void GenArcName(wchar *ArcName,size_t MaxSize,const wchar *GenerateMask,u
+ // Here we ensure that we have enough 'N' characters to fit all digits
+ // of archive number. We'll replace them by actual number later
+ // in this function.
+- if (NCount<Digits)
++ if (NCount<Digits && wcslen(Mask)+Digits-NCount<ASIZE(Mask))
+ {
+ wmemmove(Mask+I+Digits,Mask+I+NCount,wcslen(Mask+I+NCount)+1);
+ wmemset(Mask+I,'N',Digits);
+diff --git a/recvol3.cpp b/recvol3.cpp
+index ecf6dd3..0138d0f 100644
+--- a/recvol3.cpp
++++ b/recvol3.cpp
+@@ -226,7 +226,7 @@ bool RecVolumes3::Restore(CommandData *Cmd,const wchar *Name,bool Silent)
+ if (WrongParam)
+ continue;
+ }
+- if (P[1]+P[2]>255)
++ if (P[0]<=0 || P[1]<=0 || P[2]<=0 || P[1]+P[2]>255 || P[0]+P[2]-1>255)
+ continue;
+ if (RecVolNumber!=0 && RecVolNumber!=P[1] || FileNumber!=0 && FileNumber!=P[2])
+ {
+@@ -238,7 +238,14 @@ bool RecVolumes3::Restore(CommandData *Cmd,const wchar *Name,bool Silent)
+ wcsncpyz(PrevName,CurName,ASIZE(PrevName));
+ File *NewFile=new File;
+ NewFile->TOpen(CurName);
+- SrcFile[FileNumber+P[0]-1]=NewFile;
++
++ // This check is redundant taking into account P[I]>255 and P[0]+P[2]-1>255
++ // checks above. Still we keep it here for better clarity and security.
++ int SrcPos=FileNumber+P[0]-1;
++ if (SrcPos<0 || SrcPos>=ASIZE(SrcFile))
++ continue;
++ SrcFile[SrcPos]=NewFile;
++
+ FoundRecVolumes++;
+
+ if (RecFileSize==0)
+diff --git a/secpassword.cpp b/secpassword.cpp
+index 42ed47d..08da549 100644
+--- a/secpassword.cpp
++++ b/secpassword.cpp
+@@ -70,7 +70,7 @@ void SecPassword::Clean()
+ {
+ PasswordSet=false;
+ if (Password.size()>0)
+- cleandata(&Password[0],Password.size());
++ cleandata(&Password[0],Password.size()*sizeof(Password[0]));
+ }
+
+
+@@ -141,7 +141,7 @@ size_t SecPassword::Length()
+ wchar Plain[MAXPASSWORD];
+ Get(Plain,ASIZE(Plain));
+ size_t Length=wcslen(Plain);
+- cleandata(Plain,ASIZE(Plain));
++ cleandata(Plain,sizeof(Plain));
+ return Length;
+ }
+
+@@ -156,8 +156,8 @@ bool SecPassword::operator == (SecPassword &psw)
+ Get(Plain1,ASIZE(Plain1));
+ psw.Get(Plain2,ASIZE(Plain2));
+ bool Result=wcscmp(Plain1,Plain2)==0;
+- cleandata(Plain1,ASIZE(Plain1));
+- cleandata(Plain2,ASIZE(Plain2));
++ cleandata(Plain1,sizeof(Plain1));
++ cleandata(Plain2,sizeof(Plain2));
+ return Result;
+ }
+
diff -Nru unrar-nonfree-6.2.6/debian/patches/series unrar-nonfree-6.2.6/debian/patches/series
--- unrar-nonfree-6.2.6/debian/patches/series 2023-02-23 12:31:56.000000000 +0900
+++ unrar-nonfree-6.2.6/debian/patches/series 2023-08-26 16:27:26.000000000 +0900
@@ -12,3 +12,4 @@
0012-Add-PHONY-target.patch
0013-Add-newline-after-error-message-Closes-774166.patch
0014-Compiler-warning-fix.patch
+0015-CVE-2023-40477.patch
Reply to: