Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!

Full Text Bug Listing

unrar-gpl shares code from libclamav, thus is also affected by CVE-2008-1837.

I can't reproduce the issue on current cvs snapshot (just committed), thus I
assume it's safe, although it hasn't seen any updates recently.

amd64/x86 stable, last arches.

Hanno, can you please confirm that this is actually fixed? What makes me wonder
is that the last CVS commit is 7 months old, and the latest affected clamav
version was released only 2 months ago.

rbu, I'm not really sure, I was wondering the same.

I wrote to the clamav-dev asking for the samples and he sent me three rar-files
crashing clamav < 0.93. All three don't crash latest unrar (while they crash
the older snapshot), so from my tests they are safe. I don't have an
explanation for that though.

If you still have contact upstream, you could ask for the patch fixing
CVE-2008-1837.

Hanno: The only difference between the two versions you tried was removing
"unrar30" code, which is removed from the upstream libclamav for some time. The
diff that is called "check in 0.93 patches" is this:
http://svn.clamav.net/websvn/comp.php?repname=clamav-devel&path=&compare%5B%5D=%2Ftrunk%2Flibclamunrar%2F@3787&compare%5B%5D=%2Ftrunk%2Flibclamunrar%2F@3788

any news here?

revisiting this bug I noticed that the libclamav code is actually not used
within unrar-gpl. The unrar20.* unrar15.* and unrar29.* files are derived from
libclamav, but you can simply delete them without any effect. The rar code
actually used is the one from unrarlib.