Re: unrar: some issues missing from security tracker data

To: Bastian Germann <bage@debian.org>
Cc: Christoph Anton Mitterer <calestyo@scientia.org>, debian-security-tracker@lists.debian.org, Martin Meredith <mez@debian.org>, Norbert Preining <norbert@preining.info>, YOKOTA Hiroshi <yokota.hgml@gmail.com>
Subject: Re: unrar: some issues missing from security tracker data
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 26 Aug 2023 08:46:05 +0200
Message-id: <[🔎] ZOmfrR9Yh24CxTxD@eldamar.lan>
Mail-followup-to: Bastian Germann <bage@debian.org>, Christoph Anton Mitterer <calestyo@scientia.org>, debian-security-tracker@lists.debian.org, Martin Meredith <mez@debian.org>, Norbert Preining <norbert@preining.info>, YOKOTA Hiroshi <yokota.hgml@gmail.com>
In-reply-to: <[🔎] f9906617-2495-4cc9-b89b-0b57850bb11c@debian.org>
References: <[🔎] 20b166b13fc4b98d87372ae5591b4a508c886caf.camel@scientia.org> <[🔎] ZOhc7MndBxLA0YvA@eldamar.lan> <[🔎] f9906617-2495-4cc9-b89b-0b57850bb11c@debian.org>

Hi Bastian,

On Fri, Aug 25, 2023 at 10:53:24AM +0200, Bastian Germann wrote:
> Am 25.08.23 um 09:49 schrieb Salvatore Bonaccorso:
> > Hi Chris,
> > 
> > On Thu, Aug 24, 2023 at 04:02:22PM +0200, Christoph Anton Mitterer wrote:
> > > Hey.
> > > 
> > > Unrar data in the security tracker seems to miss:
> > > 
> > > CVE-2023-40477 https://www.zerodayinitiative.com/advisories/ZDI-23-1152/
> > > CVE-2023-38831 https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/
> > > 
> > > 
> > > AFAIU, at least the first one is already fixed in Debian (not sure
> > > about the 2nd).
> > 
> > I'm not sure if those are WinRAR specific or apply as well to src:rar
> > and src:unrar-nonfree.
> 
> CVE-2023-40477 mentions to be in RAR4 recovery volume processing code, which
> is recvol.cpp in the unrar source. There was no 6.3 unrar source release
> yet...
> 
> I guess CVE-2023-38831 is only in WinRAR as that is about hiding file
> extensions and even if the unix version was affected it would not make much
> noise with .exe not being executable by name.

Thanks, I have marked the latter for now as WinRAR specific.

Regards,
Salvatore

Reply to:

References:
- unrar: some issues missing from security tracker data
  - From: Christoph Anton Mitterer <calestyo@scientia.org>
- Re: unrar: some issues missing from security tracker data
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Re: unrar: some issues missing from security tracker data
  - From: Bastian Germann <bage@debian.org>

Prev by Date: Re: DSA-5332 Missing from your cross references page
Next by Date: Difference between OVAL and JSON feeds
Previous by thread: Re: unrar: some issues missing from security tracker data
Next by thread: DSA-5332 Missing from your cross references page
Index(es):
- Date
- Thread