Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 140325

Summary: app-arch/unrar stack overflow
Product: Gentoo Security Reporter: Arthur Koziel <arthur>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: normal    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.hustlelabs.com/advisories/04072006_rarlabs.pdf
Whiteboard: ? [ebuild?] jaervosz
Package list:
Runtime testing required: ---

Description Arthur Koziel 2006-07-14 02:40:50 UTC
Please bump unrar to 3.6.7 (beta 7). This version fixes a Stack overflow vulnerability:

Version 3.60 beta 7

1. Stack overflow vulnerability has been corrected in WinRAR module
   processing LZH archives. We thank Ryan Smith, www.hustlelabs.com,
   for reporting this problem.

Renaming the ebuild worked fine!
Comment 1 SpanKY gentoo-dev 2006-07-14 22:05:24 UTC
3.6.7 in portage ... not sure if security team wants to do anything
Comment 2 Stefan Cornelius (RETIRED) gentoo-dev 2006-07-23 12:46:40 UTC
are we vulnerable? afaik, unrar only unpacks *.rar archives, while the vulnerarbility was reported for the LHA unpacking functionality of WinRAR, which seems to be not included in this unrar package.
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-07-24 06:48:32 UTC
base-system please advise.
Comment 4 SpanKY gentoo-dev 2006-07-30 15:28:53 UTC
yes, it would appear that way ... unrar doesnt work on lzh archives
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-07-31 00:48:02 UTC
Thx Mike.