Bug 140325 - app-arch/unrar stack overflow
Bug#: 140325 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: normal Priority: P2
Resolution: INVALID Assigned To: security@gentoo.org Reported By: arthur@arthurkoziel.de
Component: Vulnerabilities
URL:  http://www.hustlelabs.com/advisories/04072006_rarlabs.pdf
Summary: app-arch/unrar stack overflow
Keywords:  
Status Whiteboard: ? [ebuild?] jaervosz
Opened: 2006-07-14 02:40 0000
Description:   Opened: 2006-07-14 02:40 0000 
Please bump unrar to 3.6.7 (beta 7). This version fixes a Stack overflow
vulnerability:

Version 3.60 beta 7

1. Stack overflow vulnerability has been corrected in WinRAR module
   processing LZH archives. We thank Ryan Smith, www.hustlelabs.com,
   for reporting this problem.

Renaming the ebuild worked fine!

------- Comment #1 From SpanKY 2006-07-14 22:05:24 0000 ------- 
3.6.7 in portage ... not sure if security team wants to do anything

------- Comment #2 From Stefan Cornelius (RETIRED) 2006-07-23 12:46:40 0000 ------- 
are we vulnerable? afaik, unrar only unpacks *.rar archives, while the
vulnerarbility was reported for the LHA unpacking functionality of WinRAR,
which seems to be not included in this unrar package.

------- Comment #3 From Sune Kloppenborg Jeppesen 2006-07-24 06:48:32 0000 ------- 
base-system please advise.

------- Comment #4 From SpanKY 2006-07-30 15:28:53 0000 ------- 
yes, it would appear that way ... unrar doesnt work on lzh archives

------- Comment #5 From Sune Kloppenborg Jeppesen 2006-07-31 00:48:02 0000 ------- 
Thx Mike.