166440 2007-02-11 23:40 0000 app-arch/{un,}rar- remotely exploitable stack based buffer overflow (CVE-2007-0855) 2007-03-31 18:24:46 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED A2 [glsa] Falco P2 normal --- 1 carlo@gentoo.org security@gentoo.org bernd@linx.net chainsaw@gentoo.org gentoo@meyer-dlugosch.de carlo@gentoo.org 2007-02-11 23:40:05 0000 Exploitation of the vulnerability could allow an attacker to execute arbitrary code with the privileges of the user opening the file. Exploitation would require that an attacker hosts a maliciously crafted document on a website and entice users to visit the site. An attacker could also e-mail the malicious document and use social engineering techniques to trick the e-mail recipient into opening the document. There are several mitigating factors for this vulnerability. Nearly all Windows users will use the GUI based WinRAR to open archives, and it is not vulnerable. If users are using the vulnerable command line based unrar, they still need to interact with the program in order to trigger the vulnerability. They must respond to the prompt asking for the password, after which the vulnerability will be triggered. They do not need to enter a correct password, but they must at least push the enter key. http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=472 Reproducible: Always falco@gentoo.org 2007-02-12 12:58:04 0000 Thanks Carsten, this vuln went out of my scope :( base-system, could you bump unrar version 3.7.0 please? thanks vapier@gentoo.org 2007-02-12 13:15:13 0000 rar-3.7.0_beta1 and unrar-3.7.3 now in portage falco@gentoo.org 2007-02-12 15:25:12 0000 Thanks vapier for the very quick bump, and for unrar too. hi arches, please test and mark stable : rar-3.7.0_beta1 for AMD64 and X86 unrar-3.7.3 for all arches jer@gentoo.org 2007-02-12 16:01:37 0000 Stable for HPPA. gustavoz@gentoo.org 2007-02-12 16:20:31 0000 sparc stable. armin76@gentoo.org 2007-02-12 16:24:54 0000 both rar and unrar x86 stable blubb@gentoo.org 2007-02-12 16:49:12 0000 both stable on amd64 dertobi123@gentoo.org 2007-02-12 19:04:22 0000 ppc stable corsair@gentoo.org 2007-02-13 11:08:26 0000 ppc64 stable gentoo@meyer-dlugosch.de 2007-02-13 13:57:44 0000 this may be the wrong place to report, but i think there is a dependency to glibc 2.4 missing /lib/libc.so.6: version `GLIBC_2.4' not found (required by /opt/bin/rar) i can only use sys-libs/glibc-2.3.6-r5 Portage 2.1.2-r9 (selinux/2005.1/x86/hardened, gcc-3.4.6, glibc-2.3.6-r5, 2.6.18-hardened i686) wolf31o2@gentoo.org 2007-02-13 22:14:27 0000 alpha done falco@gentoo.org 2007-02-13 23:56:05 0000 GLSA 200702-04, thanks to everybody. ARM, IA64, S390, don't forget to mark stable. armin76@gentoo.org 2007-03-31 18:24:46 0000 arm/ia64/s390 done