218064 CVE-2008-1837 2008-04-17 08:16 0000 app-arch/unrar-gpl <0.0.1_p20080417 : rar overflow (CVE-2008-1837) 2009-07-13 22:36:58 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED INVALID B2 [noglsa] P2 normal --- 1 hanno@gentoo.org security@gentoo.org hanno@gentoo.org hanno@gentoo.org 2008-04-17 08:16:21 0000 unrar-gpl shares code from libclamav, thus is also affected by CVE-2008-1837. I can't reproduce the issue on current cvs snapshot (just committed), thus I assume it's safe, although it hasn't seen any updates recently. maekke@gentoo.org 2008-04-17 21:43:07 0000 amd64/x86 stable, last arches. rbu@gentoo.org 2008-04-18 00:03:16 0000 Hanno, can you please confirm that this is actually fixed? What makes me wonder is that the last CVS commit is 7 months old, and the latest affected clamav version was released only 2 months ago. hanno@gentoo.org 2008-04-18 10:53:20 0000 rbu, I'm not really sure, I was wondering the same. I wrote to the clamav-dev asking for the samples and he sent me three rar-files crashing clamav < 0.93. All three don't crash latest unrar (while they crash the older snapshot), so from my tests they are safe. I don't have an explanation for that though. rbu@gentoo.org 2008-04-18 11:14:11 0000 If you still have contact upstream, you could ask for the patch fixing CVE-2008-1837. rbu@gentoo.org 2008-04-23 17:12:34 0000 Hanno: The only difference between the two versions you tried was removing "unrar30" code, which is removed from the upstream libclamav for some time. The diff that is called "check in 0.93 patches" is this: http://svn.clamav.net/websvn/comp.php?repname=clamav-devel&path=&compare%5B%5D=%2Ftrunk%2Flibclamunrar%2F@3787&compare%5B%5D=%2Ftrunk%2Flibclamunrar%2F@3788 py@gentoo.org 2008-05-05 21:26:54 0000 any news here? rbu@gentoo.org 2008-11-26 18:10:54 0000 revisiting this bug I noticed that the libclamav code is actually not used within unrar-gpl. The unrar20.* unrar15.* and unrar29.* files are derived from libclamav, but you can simply delete them without any effect. The rar code actually used is the one from unrarlib.