CVE-2017-12940 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12940): libunrar.a in UnRAR before 5.5.7 has an out-of-bounds read in the EncodeFileName::Decode call within the Archive::ReadHeader15 function. CVE-2017-12941 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12941): libunrar.a in UnRAR before 5.5.7 has an out-of-bounds read in the Unpack::Unpack20 function. CVE-2017-12942 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12942): libunrar.a in UnRAR before 5.5.7 has a buffer overflow in the Unpack::LongLZ function.
See tracker bug 628178 for more details. @ Arches, please test and mark stable: =app-arch/unrar-5.5.8
x86 stable
ia64 stable
ppc/ppc64 stable
arm stable
amd64 stable
alpha stable
Sparc no longer security supported, hppa please see bug #629554. Sparc, hppa please finish security stabilization. New GLSA Request filed. Maintainer(s), please drop the vulnerable version(s).
sparc was dropped to exp. https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b5901d8f716555a1479f12313a2925fcadd177a9
hppa stable
Maintainer(s), please drop the vulnerable version(s).
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=00f2e7b2f5cdd40bf9701c90a6e91bf48d97fa8a commit 00f2e7b2f5cdd40bf9701c90a6e91bf48d97fa8a Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2017-09-25 17:39:12 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2017-09-25 17:39:12 +0000 app-arch/unrar: Security cleanup Bug: https://bugs.gentoo.org/628182 Package-Manager: Portage-2.3.10, Repoman-2.3.3 app-arch/unrar/Manifest | 4 -- app-arch/unrar/files/unrar-5.0.2-build.patch | 45 --------------- .../unrar/files/unrar-5.2.2-no-auto-clean.patch | 17 ------ app-arch/unrar/unrar-5.4.5.ebuild | 62 --------------------- app-arch/unrar/unrar-5.5.5-r1.ebuild | 65 ---------------------- app-arch/unrar/unrar-5.5.6.ebuild | 65 ---------------------- app-arch/unrar/unrar-5.5.7.ebuild | 65 ---------------------- 7 files changed, 323 deletions(-)}
This issue was resolved and addressed in GLSA 201709-24 at https://security.gentoo.org/glsa/201709-24 by GLSA coordinator Aaron Bauman (b-man).
sparc stable (thanks to Rolf Eike Beer)