Re: unrar: some issues missing from security tracker data
- To: Bastian Germann <bage@debian.org>
- Cc: Christoph Anton Mitterer <calestyo@scientia.org>, debian-security-tracker@lists.debian.org, Martin Meredith <mez@debian.org>, Norbert Preining <norbert@preining.info>, YOKOTA Hiroshi <yokota.hgml@gmail.com>
- Subject: Re: unrar: some issues missing from security tracker data
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Sat, 26 Aug 2023 08:46:05 +0200
- Message-id: <[🔎] ZOmfrR9Yh24CxTxD@eldamar.lan>
- Mail-followup-to: Bastian Germann <bage@debian.org>, Christoph Anton Mitterer <calestyo@scientia.org>, debian-security-tracker@lists.debian.org, Martin Meredith <mez@debian.org>, Norbert Preining <norbert@preining.info>, YOKOTA Hiroshi <yokota.hgml@gmail.com>
- In-reply-to: <[🔎] f9906617-2495-4cc9-b89b-0b57850bb11c@debian.org>
- References: <[🔎] 20b166b13fc4b98d87372ae5591b4a508c886caf.camel@scientia.org> <[🔎] ZOhc7MndBxLA0YvA@eldamar.lan> <[🔎] f9906617-2495-4cc9-b89b-0b57850bb11c@debian.org>
Hi Bastian,
On Fri, Aug 25, 2023 at 10:53:24AM +0200, Bastian Germann wrote:
> Am 25.08.23 um 09:49 schrieb Salvatore Bonaccorso:
> > Hi Chris,
> >
> > On Thu, Aug 24, 2023 at 04:02:22PM +0200, Christoph Anton Mitterer wrote:
> > > Hey.
> > >
> > > Unrar data in the security tracker seems to miss:
> > >
> > > CVE-2023-40477 https://www.zerodayinitiative.com/advisories/ZDI-23-1152/
> > > CVE-2023-38831 https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/
> > >
> > >
> > > AFAIU, at least the first one is already fixed in Debian (not sure
> > > about the 2nd).
> >
> > I'm not sure if those are WinRAR specific or apply as well to src:rar
> > and src:unrar-nonfree.
>
> CVE-2023-40477 mentions to be in RAR4 recovery volume processing code, which
> is recvol.cpp in the unrar source. There was no 6.3 unrar source release
> yet...
>
> I guess CVE-2023-38831 is only in WinRAR as that is about hiding file
> extensions and even if the unix version was affected it would not make much
> noise with .exe not being executable by name.
Thanks, I have marked the latter for now as WinRAR specific.
Regards,
Salvatore
Reply to: