Please bump unrar to 3.6.7 (beta 7). This version fixes a Stack overflow vulnerability: Version 3.60 beta 7 1. Stack overflow vulnerability has been corrected in WinRAR module processing LZH archives. We thank Ryan Smith, www.hustlelabs.com, for reporting this problem. Renaming the ebuild worked fine!
3.6.7 in portage ... not sure if security team wants to do anything
are we vulnerable? afaik, unrar only unpacks *.rar archives, while the vulnerarbility was reported for the LHA unpacking functionality of WinRAR, which seems to be not included in this unrar package.
base-system please advise.
yes, it would appear that way ... unrar doesnt work on lzh archives
Thx Mike.