[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1050562: marked as done (bookworm-pu: package unrar-nonfree/1:6.2.6-1+deb12u1)

Your message dated Sat, 07 Oct 2023 09:59:40 +0000
with message-id <E1qp460-00A4Dt-Hf@coccia.debian.org>
and subject line Released with 12.2
has caused the Debian Bug report #1050562,
regarding bookworm-pu: package unrar-nonfree/1:6.2.6-1+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1050562: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050562
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: unrar-nonfree@packages.debian.org, team@security.debian.org, yokota.hgml@gmail.com
Control: affects -1 + src:unrar-nonfree

[ Reason ]
To fix CVE-2023-40477.
CVE-2023-40477 was fixed in unrar-nonfree 6.2.9-1 that already released for
trixie/sid.

[ Impact ]
If not fixed, it allows remote attackers to execute arbitrary code.

[ Tests ]
There are no test case for CVE-2023-40477.
Debian autopkgtest for normal operation was passed.

[ Risks ]
There are no test case for CVE-2023-40477.
I can't confirm the bug was fixed.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Apply upstream fix in UnRAR 6.2.9 to unrar-nonfree 6.2.6-1 that in bookworm.

Debdiff canbe examine from online:
  https://github.com/debian-calibre/unrar-
nonfree/compare/debian/1%256.2.6-1...debian/1%256.2.6-1+deb12u1

[ Other info ]
* RARLAB WinRAR Recovery Volume Improper Validation of Array Index Remote Code
  Execution Vulnerability
  https://www.zerodayinitiative.com/advisories/ZDI-23-1152/

* WinRAR 6.23 final released
  https://www.win-
rar.com/singlenewsview.html?&L=0&tx_ttnews%5Btt_news%5D=232&cHash=c5bf79590657e32554c6683296a8e8aa

diff -Nru unrar-nonfree-6.2.6/debian/changelog unrar-nonfree-6.2.6/debian/changelog
--- unrar-nonfree-6.2.6/debian/changelog	2023-02-23 12:31:56.000000000 +0900
+++ unrar-nonfree-6.2.6/debian/changelog	2023-08-26 16:27:26.000000000 +0900
@@ -1,3 +1,9 @@
+unrar-nonfree (1:6.2.6-1+deb12u1) bookworm; urgency=medium
+
+  * Fix CVE-2023-40477
+
+ -- YOKOTA Hiroshi <yokota.hgml@gmail.com>  Sat, 26 Aug 2023 16:27:26 +0900
+
 unrar-nonfree (1:6.2.6-1) unstable; urgency=medium
 
   * New upstream version 6.2.6
diff -Nru unrar-nonfree-6.2.6/debian/patches/0015-CVE-2023-40477.patch unrar-nonfree-6.2.6/debian/patches/0015-CVE-2023-40477.patch
--- unrar-nonfree-6.2.6/debian/patches/0015-CVE-2023-40477.patch	1970-01-01 09:00:00.000000000 +0900
+++ unrar-nonfree-6.2.6/debian/patches/0015-CVE-2023-40477.patch	2023-08-26 16:27:26.000000000 +0900
@@ -0,0 +1,106 @@
+From: YOKOTA Hiroshi <yokota.hgml@gmail.com>
+Date: Fri, 21 Jul 2023 00:33:42 +0900
+Subject: CVE-2023-40477
+
+---
+ getbits.cpp     |  8 ++++----
+ pathfn.cpp      |  2 +-
+ recvol3.cpp     | 11 +++++++++--
+ secpassword.cpp |  8 ++++----
+ 4 files changed, 18 insertions(+), 11 deletions(-)
+
+diff --git a/getbits.cpp b/getbits.cpp
+index 8805f27..5d5ad2b 100644
+--- a/getbits.cpp
++++ b/getbits.cpp
+@@ -5,11 +5,11 @@ BitInput::BitInput(bool AllocBuffer)
+   ExternalBuffer=false;
+   if (AllocBuffer)
+   {
+-    // getbits*() attempt to read data from InAddr, ... InAddr+3 positions.
+-    // So let's allocate 3 additional bytes for situation, when we need to
++    // getbits*() attempt to read data from InAddr, ... InAddr+4 positions.
++    // So let's allocate 4 additional bytes for situation, when we need to
+     // read only 1 byte from the last position of buffer and avoid a crash
+-    // from access to next 3 bytes, which contents we do not need.
+-    size_t BufSize=MAX_SIZE+3;
++    // from access to next 4 bytes, which contents we do not need.
++    size_t BufSize=MAX_SIZE+4;
+     InBuf=new byte[BufSize];
+ 
+     // Ensure that we get predictable results when accessing bytes in area
+diff --git a/pathfn.cpp b/pathfn.cpp
+index 49d16a8..7a54354 100644
+--- a/pathfn.cpp
++++ b/pathfn.cpp
+@@ -746,7 +746,7 @@ static void GenArcName(wchar *ArcName,size_t MaxSize,const wchar *GenerateMask,u
+       // Here we ensure that we have enough 'N' characters to fit all digits
+       // of archive number. We'll replace them by actual number later
+       // in this function.
+-      if (NCount<Digits)
++      if (NCount<Digits && wcslen(Mask)+Digits-NCount<ASIZE(Mask))
+       {
+         wmemmove(Mask+I+Digits,Mask+I+NCount,wcslen(Mask+I+NCount)+1);
+         wmemset(Mask+I,'N',Digits);
+diff --git a/recvol3.cpp b/recvol3.cpp
+index ecf6dd3..0138d0f 100644
+--- a/recvol3.cpp
++++ b/recvol3.cpp
+@@ -226,7 +226,7 @@ bool RecVolumes3::Restore(CommandData *Cmd,const wchar *Name,bool Silent)
+       if (WrongParam)
+         continue;
+     }
+-    if (P[1]+P[2]>255)
++    if (P[0]<=0 || P[1]<=0 || P[2]<=0 || P[1]+P[2]>255 || P[0]+P[2]-1>255)
+       continue;
+     if (RecVolNumber!=0 && RecVolNumber!=P[1] || FileNumber!=0 && FileNumber!=P[2])
+     {
+@@ -238,7 +238,14 @@ bool RecVolumes3::Restore(CommandData *Cmd,const wchar *Name,bool Silent)
+     wcsncpyz(PrevName,CurName,ASIZE(PrevName));
+     File *NewFile=new File;
+     NewFile->TOpen(CurName);
+-    SrcFile[FileNumber+P[0]-1]=NewFile;
++
++    // This check is redundant taking into account P[I]>255 and P[0]+P[2]-1>255
++    // checks above. Still we keep it here for better clarity and security.
++    int SrcPos=FileNumber+P[0]-1;
++    if (SrcPos<0 || SrcPos>=ASIZE(SrcFile))
++      continue;
++    SrcFile[SrcPos]=NewFile;
++
+     FoundRecVolumes++;
+ 
+     if (RecFileSize==0)
+diff --git a/secpassword.cpp b/secpassword.cpp
+index 42ed47d..08da549 100644
+--- a/secpassword.cpp
++++ b/secpassword.cpp
+@@ -70,7 +70,7 @@ void SecPassword::Clean()
+ {
+   PasswordSet=false;
+   if (Password.size()>0)
+-    cleandata(&Password[0],Password.size());
++    cleandata(&Password[0],Password.size()*sizeof(Password[0]));
+ }
+  
+ 
+@@ -141,7 +141,7 @@ size_t SecPassword::Length()
+   wchar Plain[MAXPASSWORD];
+   Get(Plain,ASIZE(Plain));
+   size_t Length=wcslen(Plain);
+-  cleandata(Plain,ASIZE(Plain));
++  cleandata(Plain,sizeof(Plain));
+   return Length;
+ }
+ 
+@@ -156,8 +156,8 @@ bool SecPassword::operator == (SecPassword &psw)
+   Get(Plain1,ASIZE(Plain1));
+   psw.Get(Plain2,ASIZE(Plain2));
+   bool Result=wcscmp(Plain1,Plain2)==0;
+-  cleandata(Plain1,ASIZE(Plain1));
+-  cleandata(Plain2,ASIZE(Plain2));
++  cleandata(Plain1,sizeof(Plain1));
++  cleandata(Plain2,sizeof(Plain2));
+   return Result;
+ }
+ 
diff -Nru unrar-nonfree-6.2.6/debian/patches/series unrar-nonfree-6.2.6/debian/patches/series
--- unrar-nonfree-6.2.6/debian/patches/series	2023-02-23 12:31:56.000000000 +0900
+++ unrar-nonfree-6.2.6/debian/patches/series	2023-08-26 16:27:26.000000000 +0900
@@ -12,3 +12,4 @@
 0012-Add-PHONY-target.patch
 0013-Add-newline-after-error-message-Closes-774166.patch
 0014-Compiler-warning-fix.patch
+0015-CVE-2023-40477.patch

--- End Message ---
--- Begin Message --- 
Version: 12.2

The upload requested in this bug has been released as part of 12.2.

--- End Message ---
Reply to: