140325 2006-07-14 02:40 0000 app-arch/unrar stack overflow 2006-07-31 00:48:02 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED INVALID http://www.hustlelabs.com/advisories/04072006_rarlabs.pdf ? [ebuild?] jaervosz P2 normal --- 1 arthur@arthurkoziel.de security@gentoo.org arthur@arthurkoziel.de 2006-07-14 02:40:50 0000 Please bump unrar to 3.6.7 (beta 7). This version fixes a Stack overflow vulnerability: Version 3.60 beta 7 1. Stack overflow vulnerability has been corrected in WinRAR module processing LZH archives. We thank Ryan Smith, www.hustlelabs.com, for reporting this problem. Renaming the ebuild worked fine! vapier@gentoo.org 2006-07-14 22:05:24 0000 3.6.7 in portage ... not sure if security team wants to do anything dercorny@gentoo.org 2006-07-23 12:46:40 0000 are we vulnerable? afaik, unrar only unpacks *.rar archives, while the vulnerarbility was reported for the LHA unpacking functionality of WinRAR, which seems to be not included in this unrar package. jaervosz@gentoo.org 2006-07-24 06:48:32 0000 base-system please advise. vapier@gentoo.org 2006-07-30 15:28:53 0000 yes, it would appear that way ... unrar doesnt work on lzh archives jaervosz@gentoo.org 2006-07-31 00:48:02 0000 Thx Mike.