Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 166440 - app-arch/{un,}rar- remotely exploitable stack based buffer overflow (CVE-2007-0855)
Summary: app-arch/{un,}rar- remotely exploitable stack based buffer overflow (CVE-2007...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: A2 [glsa] Falco
Depends on:
Reported: 2007-02-11 23:40 UTC by Carsten Lohrke (RETIRED)
Modified: 2007-03-31 18:24 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Carsten Lohrke (RETIRED) gentoo-dev 2007-02-11 23:40:05 UTC
Exploitation of the vulnerability could allow an attacker to execute arbitrary code with the privileges of the user opening the file. Exploitation would require that an attacker hosts a maliciously crafted document on a website and entice users to visit the site. An attacker could also e-mail the malicious document and use social engineering techniques to trick the e-mail recipient into opening the document.

There are several mitigating factors for this vulnerability. Nearly all Windows users will use the GUI based WinRAR to open archives, and it is not vulnerable. If users are using the vulnerable command line based unrar, they still need to interact with the program in order to trigger the vulnerability. They must respond to the prompt asking for the password, after which the vulnerability will be triggered. They do not need to enter a correct password, but they must at least push the enter key.

Reproducible: Always
Comment 1 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-12 12:58:04 UTC
Thanks Carsten, this vuln went out of my scope :(

base-system, could you bump unrar version 3.7.0 please? thanks
Comment 2 SpanKY gentoo-dev 2007-02-12 13:15:13 UTC
rar-3.7.0_beta1 and unrar-3.7.3 now in portage
Comment 3 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-12 15:25:12 UTC
Thanks vapier for the very quick bump, and for unrar too.

hi arches, please test and mark stable :

rar-3.7.0_beta1  for AMD64 and X86

unrar-3.7.3  for all arches
Comment 4 Jeroen Roovers gentoo-dev 2007-02-12 16:01:37 UTC
Stable for HPPA.
Comment 5 Gustavo Zacarias (RETIRED) gentoo-dev 2007-02-12 16:20:31 UTC
sparc stable.
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2007-02-12 16:24:54 UTC
both rar and unrar x86 stable
Comment 7 Simon Stelling (RETIRED) gentoo-dev 2007-02-12 16:49:12 UTC
both stable on amd64
Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev 2007-02-12 19:04:22 UTC
ppc stable
Comment 9 Markus Rothe (RETIRED) gentoo-dev 2007-02-13 11:08:26 UTC
ppc64 stable
Comment 10 Andre Meyer 2007-02-13 13:57:44 UTC
this may be the wrong place to report, but i think there is a dependency to glibc 2.4 missing

/lib/ version `GLIBC_2.4' not found (required by /opt/bin/rar)

i can only use sys-libs/glibc-2.3.6-r5

Portage 2.1.2-r9 (selinux/2005.1/x86/hardened, gcc-3.4.6, glibc-2.3.6-r5, 2.6.18-hardened i686)
Comment 11 Chris Gianelloni (RETIRED) gentoo-dev 2007-02-13 22:14:27 UTC
alpha done
Comment 12 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-13 23:56:05 UTC
GLSA 200702-04, thanks to everybody. ARM, IA64, S390, don't forget to mark stable.
Comment 13 Raúl Porcel (RETIRED) gentoo-dev 2007-03-31 18:24:46 UTC
arm/ia64/s390 done